From 1b901d77aada2480bc01b8439b9dc71c9f1a1b50 Mon Sep 17 00:00:00 2001 From: Balint Reczey <balint@balintreczey.hu> Date: Sat, 31 Dec 2016 01:52:30 +0100 Subject: [PATCH 2/8] Fix using EOF marker -1 value as a valid flag byte Also known as CVE-2016-9266 Fixes: #53 --- util/listmp3.c | 16 +++++++++++++--- 1 file changed, 13 insertions(+), 3 deletions(-) --- a/util/listmp3.c +++ b/util/listmp3.c @@ -74,6 +74,8 @@ for(;;) { + int flags_char; + int i; /* get 4-byte header, bigendian */ if((flags = fgetc(f)) == EOF) break; @@ -92,9 +94,17 @@ break; flags <<= 24; - flags += fgetc(f) << 16; - flags += fgetc(f) << 8; - flags += fgetc(f); + for (i = 2; i >= 0; --i) + { + if ((flags_char = fgetc(f)) == EOF) + { + error("truncated file"); + } + else + { + flags += flags_char << (i * 8); + } + } if((flags & MP3_FRAME_SYNC) != MP3_FRAME_SYNC) break;