xorl %eax, %eax

CVE-2009-1301: mpg123 ID2v3 Tag Overflow

leave a comment »

This was reported by Thomas Orgis on 5 April 2009 and affects mpg123 prior to 1.7.2. The following code is from mpg123 1.7.1 release. Here is the vulnerable function at src/libmpg123/id3.c:

182 /*
183         Store any text in UTF8 encoding; preserve the zero string separator (I don't need strlen for the total size).
184         ID3v2 standard says that there should be one text frame of specific type per tag, and subsequent tags overwrite old values.
185         So, I always replace the text that may be stored already (perhaps with a list of zero-separated strings, though).
186 */
187 void store_id3_text(mpg123_string *sb, char *source, size_t source_size, const int noquiet)
188 {
189         int encoding;
190         int bwidth;
       ...
196         encoding = source[0];
197         ++source;
       ...
207         bwidth = encoding_widths[encoding];
       ...
221         text_converters[encoding](sb, (unsigned char*)source, source_size);
       ...
224 }


The bug is that signed integer encoding at line 189 is initialized with the value contained at source[0] (line 196) and later being used as index. However, source[] is a completely user controlled value from the ID3 tag which can be a negative integer result in out of bounds memory access. Here is an example of how this function is being invoked by process_text():

267 static void process_text(mpg123_handle *fr, char *realdata, size_t realsize, char *id)
       ...
271         mpg123_text *t = add_text(fr);
       ...
278         memcpy(t->id, id, 4);
279         store_id3_text(&t->text, realdata, realsize, NOQUIET);
       ...
281 }


To patch this they replaced the signed integer with an unsigned one:

 {
-       int encoding;
+       unsigned int encoding;
        int bwidth;


And they also add a casting to unsigned integer to source[] variable:

        }
-       encoding = source[0];
+       encoding = (unsigned int) source[0];
        ++source;

Written by xorl

April 17, 2009 at 03:05

Posted in bugs

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s