heap out of bounds read in convert_latin1
Brought to you by:
sobukus
Menu
▾
▴
1 Attachments
#252 heap out of bounds read in convert_latin1
The attached file causes an out of bounds read in mpg123, detectable with address sanitizer. This was found with the tool american fuzzy lop.
Here's the stack trace output from asan:
==15557==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60d000000333 at pc 0x0000005610b3 bp 0x7ffebe8287f0 sp 0x7ffebe8287e8
READ of size 1 at 0x60d000000333 thread T0
#0 0x5610b2 in convert_latin1 /mnt/ram/mpg123-1.25.0/src/libmpg123/id3.c:980:5
#1 0x5576b8 in INT123_id3_to_utf8 /mnt/ram/mpg123-1.25.0/src/libmpg123/id3.c:309:2
#2 0x55abed in store_id3_text /mnt/ram/mpg123-1.25.0/src/libmpg123/id3.c:274:2
#3 0x55abed in process_text /mnt/ram/mpg123-1.25.0/src/libmpg123/id3.c:368
#4 0x55abed in INT123_parse_new_id3 /mnt/ram/mpg123-1.25.0/src/libmpg123/id3.c:917
#5 0x53e74f in handle_id3v2 /mnt/ram/mpg123-1.25.0/src/libmpg123/parse.c:1071:8
#6 0x53e74f in skip_junk /mnt/ram/mpg123-1.25.0/src/libmpg123/parse.c:1152
#7 0x53e74f in INT123_read_frame /mnt/ram/mpg123-1.25.0/src/libmpg123/parse.c:525
#8 0x574001 in get_next_frame /mnt/ram/mpg123-1.25.0/src/libmpg123/libmpg123.c:625:7
#9 0x574984 in mpg123_decode_frame /mnt/ram/mpg123-1.25.0/src/libmpg123/libmpg123.c:861:12
#10 0x524ff2 in play_frame /mnt/ram/mpg123-1.25.0/src/mpg123.c:739:7
#11 0x528f97 in main /mnt/ram/mpg123-1.25.0/src/mpg123.c:1363:8
#12 0x7f9d2db941e0 in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.24-r3/work/glibc-2.24/csu/../csu/libc-start.c:289
#13 0x41af59 in _start (/mnt/ram/mpg123+0x41af59)
0x60d000000333 is located 0 bytes to the right of 131-byte region [0x60d0000002b0,0x60d000000333)
allocated by thread T0 here:
#0 0x4d19a8 in malloc (/mnt/ram/mpg123+0x4d19a8)
#1 0x55806d in INT123_parse_new_id3 /mnt/ram/mpg123-1.25.0/src/libmpg123/id3.c:744:34
#2 0x53e74f in handle_id3v2 /mnt/ram/mpg123-1.25.0/src/libmpg123/parse.c:1071:8
#3 0x53e74f in skip_junk /mnt/ram/mpg123-1.25.0/src/libmpg123/parse.c:1152
#4 0x53e74f in INT123_read_frame /mnt/ram/mpg123-1.25.0/src/libmpg123/parse.c:525
#5 0x574001 in get_next_frame /mnt/ram/mpg123-1.25.0/src/libmpg123/libmpg123.c:625:7
Yeah, of course a parser issue. There is one byte read too much. I think this is a if(tagpos > framesize) which should be if(tagpos >= framesize). There is another position in that code where I suspect some care needs to be taken, so I will fix this tomorrow, not late at night now.
I can reproduce nicely. I am having a hard look at the whole ID3 frame parser code block with its differing reads vor differing ID3v2 revisions. So far this is only code that may read too much. Buffers for writes are properly allocated. Thus I currently only see the DoS aspect of possibly crashing the decoder/parser, but no injection nasty. I'm not even sure on how easy it will be in practice to make the parser crash … as it never occured in the wild yet (to my knowledge) that the single byte following the ID3 buffer does not belong to the mpg123 process to read from.
Well, then, I got it covered with SVN revision 4253. The current state of fixup of the issues reported recently is in
svn://scm.orgis.org/mpg123/branches/1.25.1
The fixes also appear in the https://mpg123.org/snapshot being generated just now (NEWS entries missing).
Is there an ETA for 1.25.1 ?