From 6032557a21e4dac8bb2606bb5b58e27d85a7ff98 Mon Sep 17 00:00:00 2001 From: Hugo Lefeuvre <hle@debian.org> Date: Wed, 10 Jan 2018 09:58:57 +0100 Subject: [PATCH 24/29] Fix global buffer overflow in printMP3Headers. The printMP3Headers function in util/listmp3.c processes mp3 files without checking their bitrate values. This leads to bitrate_idx = 15 being used as index in mp2l23_bitrate_table[bitrate_idx] while mp2l23_bitrate_table has only 14 elements. In this commit we add a check rejecting mp3 files declaring invalid bitrates. This commit fixes CVE-2017-16898 (fixes: #75). --- util/listmp3.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/util/listmp3.c b/util/listmp3.c index de9d9f73..3564ff92 100644 --- a/util/listmp3.c +++ b/util/listmp3.c @@ -119,6 +119,11 @@ void printMP3Headers(FILE *f) error("invalid samplerate index"); } + if (bitrate_idx == 15) + { + error("invalid bitrate 15"); + } + channels = ((flags & MP3_CHANNEL) == MP3_CHANNEL_MONO) ? 1 : 2; switch(flags & MP3_VERSION) -- 2.14.3