[ID3 Dev] Buffer overrun in ID3v2.3

[Phil Pellouchoud]

Hi,

I'm not sure where to submit this, but I wanted to share it with
everyone just in case they're using ID3v2.3.

I found a buffer overrun in the code in file mp3_parse.cpp.

bool Mp3Info::Parse(ID3_Reader& reader, size_t mp3size)

{

  ...

  ...

  const size_t VBR_HEADER_MIN_SIZE = 8;     // "xing" + flags are fixed

  const size_t VBR_HEADER_MAX_SIZE = 120;   // frames (4), bytes (4),
toc (100) and scale (4) are optional + VBR_HEADER_MIN_SIZE

  //const size_t VBR_HEADER_MAX_SIZE = 116;   // frames, bytes, toc and
scale are optional

 

  if (mp3size >= vbr_header_offest + VBR_HEADER_MIN_SIZE) 

  {

    char vbrheaderdata[VBR_HEADER_MAX_SIZE+1]; //+1 to hold the 0 char

    unsigned char *pvbrdata = (unsigned char *)vbrheaderdata;

    int vbr_filesize = 0;

    int vbr_scale = 0;

    int vbr_flags = 0;

 

    // get fixed part of vbr header 

    // and check if valid

 

    beg = vbr_header_offest;

    reader.setCur(beg);

    reader.readChars(vbrheaderdata, VBR_HEADER_MIN_SIZE);

    vbrheaderdata[VBR_HEADER_MIN_SIZE] = '\0';

 

    if (pvbrdata[0] == 'X' &&

        pvbrdata[1] == 'i' &&

        pvbrdata[2] == 'n' &&

        pvbrdata[3] == 'g')

    {

      // get vbr flags

      pvbrdata += 4;

      vbr_flags = ExtractI4(pvbrdata);

      pvbrdata += 4;

 

      //  read entire vbr header

      int vbr_header_size = VBR_HEADER_MIN_SIZE

                           + ((vbr_flags & FRAMES_FLAG)? 4:0)

                           + ((vbr_flags & BYTES_FLAG)? 4:0)

                           + ((vbr_flags & TOC_FLAG)? 100:0)

                           + ((vbr_flags & SCALE_FLAG)? 4:0);

      // in this scenario, vbr_header_size can equal

      // VBR_HEADER_MIN_SIZE + 4 + 4 + 100 + 4 = 120

      // which is bigger than 116.

 

      if (mp3size >= vbr_header_offest + vbr_header_size) 

      {

        reader.readChars(&vbrheaderdata[VBR_HEADER_MIN_SIZE],
vbr_header_size - VBR_HEADER_MIN_SIZE); 

        vbrheaderdata[vbr_header_size] = '\0';

        // and then you're using the index calculated above to

        // write into the buffer!

 

        // get frames, bytes, toc and scale

 

        if (vbr_flags & FRAMES_FLAG)

        {

          vbr_frames = ExtractI4(pvbrdata); 

          pvbrdata +=4;

        }

 

        if (vbr_flags & BYTES_FLAG)

        {

          vbr_filesize = ExtractI4(pvbrdata); 

          pvbrdata +=4;

        }

 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.id3.org/pipermail/id3v2/attachments/20061101/b67698d5/attachment.html>