libid3 crashes (stack smashing) when reading VBR MP3 file
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
id3lib3.8.3 (Ubuntu) |
Fix Released
|
Medium
|
Christian Mangold |
Bug Description
libid3-3.8.3 crashes when reading an MP3 file with variable bitrate (VBR).
Reproduction:
lame -v /usr/share/
id3info vbr.mp3
*** stack smashing detected ***: id3info terminated
======= Backtrace: =========
/lib/tls/
/lib/tls/
/usr/lib/
/usr/lib/
/usr/lib/
/usr/lib/
/usr/lib/
/usr/lib/
id3info[0x804aeb6]
/lib/tls/
id3info[0x8049601]
The same happens with other applications using libid3 (e.g. Kid3).
Patch to fix the buffer overflow:
----
diff -ru id3lib3.
--- id3lib3.
+++ id3lib3.
@@ -465,7 +465,7 @@
// from http://
const size_t VBR_HEADER_MIN_SIZE = 8; // "xing" + flags are fixed
- const size_t VBR_HEADER_MAX_SIZE = 116; // frames, bytes, toc and scale are optional
+ const size_t VBR_HEADER_MAX_SIZE = 120; // frames, bytes, toc and scale are optional
if (mp3size >= vbr_header_offest + VBR_HEADER_
{
----
Description of bug:
with VBR_HEADER_MAX_SIZE = 116, the buffer
char vbrheaderdata[
is too small, below it is used with the following variable:
int vbr_header_size = VBR_HEADER_MIN_SIZE
which is 120 in the maximum case. So the patch fixes it to 120 instead of 116 bytes.
This will also fix bug 425319 (https:/
ProblemType: Crash
Architecture: i386
AssertionMessage: *** stack smashing detected ***: id3info terminated
Date: Tue Oct 6 12:44:08 2009
DistroRelease: Ubuntu 9.10
ExecutablePath: /usr/bin/id3info
Package: libid3-3.8.3-dev 3.8.3-7.2ubuntu1
ProcCmdline: id3info vbr.mp3
ProcEnviron:
SHELL=/bin/bash
LANG=en_US.UTF-8
ProcVersionSign
Signal: 6
SourcePackage: id3lib3.8.3
StacktraceTop:
__kernel_vsyscall ()
*__GI_raise (sig=6)
*__GI_abort () at abort.c:92
__libc_message (do_abort=2,
*__GI_
Title: id3info assert failure: *** stack smashing detected ***: id3info terminated
Uname: Linux 2.6.31-11-generic i686
UserGroups: adm admin cdrom dialout lpadmin plugdev pulse-access sambashare
Related branches
Changed in id3lib3.8.3 (Ubuntu): | |
status: | New → Confirmed |
Changed in id3lib3.8.3 (Ubuntu): | |
assignee: | nobody → Christian Mangold (neversfelde) |
StacktraceTop: __kernel_ vsyscall () _fortify_ fail (
*__GI_raise (sig=6)
*__GI_abort () at abort.c:92
__libc_message (do_abort=2,
*__GI__