Re: Local/remote mpg123 exploit

[3APA3A <3APA3A () SECURITY NNOV RU>]

Dear gobbles () hushmail com,


Beside all the noise: it's trivial stack overflow due to invalid maximum
frame  size  calculation  in mpg123. Maximum frame size is defined to be
1792  (mpglib/mpg123.h)  and  1920  (common.c  where  overflow  probably
actually occures). Gobblez construct frame (160 * 144000)/8000 + 1 - 4 =
2877  bytes.  Maximum  frame  may  be  constructed  is  probably  (384 *
144000)/16000  +  1  - 4 = 3453 bytes. Redefining MAX_INPUT_FRAMESIZE to
4096 should probably fix the problem. mpg123.h (not one from mpglib, but
one  from  mpg123  itself)  already has MAXFRAMESIZE defined as 4096. It
also  could  be nice to add fr->framesize check. Fix below. I'm too lazy
to test it.

If there are any programs using same mpglib they are vulnerable too.

--- common.old  2003-01-15 20:18:14.000000000 +0300
+++ common.c    2003-01-15 20:25:26.000000000 +0300
@@ -140,7 +140,7 @@
  *       -1: giving up
  *        1: synched
  */
-#define MAX_INPUT_FRAMESIZE 1920
+#define MAX_INPUT_FRAMESIZE 4096
 #define SYNC_HEAD_MASK    0xffff0000
 #define SYNC_HEAD_MASK_FF 0x0000f000
 #define LOOK_AHEAD_NUM 3
@@ -237,6 +237,8 @@
         }
      }
      else {
+       if(frameInfo.framesize > MAX_INPUT_FRAMESIZE) return 0;
+
         if(!rds->read_frame_body(rds,dummybuf,frameInfo.framesize))
            return 0;

--Monday, January 13, 2003, 9:23:18 PM, you wrote to bugtraq () securityfocus com:

ghc> Affected Software: mpg123 (pre0.59s) http://www.mpg123.de


-- 
~/ZARAZA
You know my name - look up my number (Beatles)