[ID3 Dev] Buffer overrun in ID3v2.3
Phil Pellouchoud
Phil at broadbandinstruments.com
Wed Nov 1 07:10:20 PST 2006
Hi,
I'm not sure where to submit this, but I wanted to share it with
everyone just in case they're using ID3v2.3.
I found a buffer overrun in the code in file mp3_parse.cpp.
bool Mp3Info::Parse(ID3_Reader& reader, size_t mp3size)
{
...
...
const size_t VBR_HEADER_MIN_SIZE = 8; // "xing" + flags are fixed
const size_t VBR_HEADER_MAX_SIZE = 120; // frames (4), bytes (4),
toc (100) and scale (4) are optional + VBR_HEADER_MIN_SIZE
//const size_t VBR_HEADER_MAX_SIZE = 116; // frames, bytes, toc and
scale are optional
if (mp3size >= vbr_header_offest + VBR_HEADER_MIN_SIZE)
{
char vbrheaderdata[VBR_HEADER_MAX_SIZE+1]; //+1 to hold the 0 char
unsigned char *pvbrdata = (unsigned char *)vbrheaderdata;
int vbr_filesize = 0;
int vbr_scale = 0;
int vbr_flags = 0;
// get fixed part of vbr header
// and check if valid
beg = vbr_header_offest;
reader.setCur(beg);
reader.readChars(vbrheaderdata, VBR_HEADER_MIN_SIZE);
vbrheaderdata[VBR_HEADER_MIN_SIZE] = '\0';
if (pvbrdata[0] == 'X' &&
pvbrdata[1] == 'i' &&
pvbrdata[2] == 'n' &&
pvbrdata[3] == 'g')
{
// get vbr flags
pvbrdata += 4;
vbr_flags = ExtractI4(pvbrdata);
pvbrdata += 4;
// read entire vbr header
int vbr_header_size = VBR_HEADER_MIN_SIZE
+ ((vbr_flags & FRAMES_FLAG)? 4:0)
+ ((vbr_flags & BYTES_FLAG)? 4:0)
+ ((vbr_flags & TOC_FLAG)? 100:0)
+ ((vbr_flags & SCALE_FLAG)? 4:0);
// in this scenario, vbr_header_size can equal
// VBR_HEADER_MIN_SIZE + 4 + 4 + 100 + 4 = 120
// which is bigger than 116.
if (mp3size >= vbr_header_offest + vbr_header_size)
{
reader.readChars(&vbrheaderdata[VBR_HEADER_MIN_SIZE],
vbr_header_size - VBR_HEADER_MIN_SIZE);
vbrheaderdata[vbr_header_size] = '\0';
// and then you're using the index calculated above to
// write into the buffer!
// get frames, bytes, toc and scale
if (vbr_flags & FRAMES_FLAG)
{
vbr_frames = ExtractI4(pvbrdata);
pvbrdata +=4;
}
if (vbr_flags & BYTES_FLAG)
{
vbr_filesize = ExtractI4(pvbrdata);
pvbrdata +=4;
}
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.id3.org/pipermail/id3v2/attachments/20061101/b67698d5/attachment.html>
More information about the ID3v2
mailing list