Fix global buffer overflow in printMP3Headers.

The printMP3Headers function in util/listmp3.c processes mp3 files without checking their bitrate values. This leads to bitrate_idx = 15 being used as index in mp2l23_bitrate_table[bitrate_idx] while mp2l23_bitrate_table has only 14 elements. In this commit we add a check rejecting mp3 files declaring invalid bitrates. This commit fixes CVE-2017-16898 (fixes: libming#75).
hlef · Jan 10, 2018 · 6032557 · 6032557
1 parent ded97d0
commit 6032557
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 0 deletions.
diff --git a/NEWS b/NEWS
@@ -22,6 +22,8 @@
     issue #94)
   * Fix heap buffer overflow in dcputs (global buffer missing \0 character)
     (CVE-2017-11732, issue #80)
+  * Fix global buffer overflow in printMP3Headers (invalid bitrate 15 not
+    detected) (CVE-2017-16898, issue #75).
 
 0.4.8 - 2017-04-07
 

diff --git a/util/listmp3.c b/util/listmp3.c
@@ -119,6 +119,11 @@ void printMP3Headers(FILE *f)
       error("invalid samplerate index");
     }
 
+    if (bitrate_idx == 15)
+    {
+      error("invalid bitrate 15");
+    }
+
     channels = ((flags & MP3_CHANNEL) == MP3_CHANNEL_MONO) ? 1 : 2;
 
     switch(flags & MP3_VERSION)