Bugtraq mailing list archives
Re: Local/remote mpg123 exploit
From: 3APA3A <3APA3A () SECURITY NNOV RU>
Date: Wed, 15 Jan 2003 20:32:28 +0300
Dear gobbles () hushmail com, Beside all the noise: it's trivial stack overflow due to invalid maximum frame size calculation in mpg123. Maximum frame size is defined to be 1792 (mpglib/mpg123.h) and 1920 (common.c where overflow probably actually occures). Gobblez construct frame (160 * 144000)/8000 + 1 - 4 = 2877 bytes. Maximum frame may be constructed is probably (384 * 144000)/16000 + 1 - 4 = 3453 bytes. Redefining MAX_INPUT_FRAMESIZE to 4096 should probably fix the problem. mpg123.h (not one from mpglib, but one from mpg123 itself) already has MAXFRAMESIZE defined as 4096. It also could be nice to add fr->framesize check. Fix below. I'm too lazy to test it. If there are any programs using same mpglib they are vulnerable too. --- common.old 2003-01-15 20:18:14.000000000 +0300 +++ common.c 2003-01-15 20:25:26.000000000 +0300 @@ -140,7 +140,7 @@ * -1: giving up * 1: synched */ -#define MAX_INPUT_FRAMESIZE 1920 +#define MAX_INPUT_FRAMESIZE 4096 #define SYNC_HEAD_MASK 0xffff0000 #define SYNC_HEAD_MASK_FF 0x0000f000 #define LOOK_AHEAD_NUM 3 @@ -237,6 +237,8 @@ } } else { + if(frameInfo.framesize > MAX_INPUT_FRAMESIZE) return 0; + if(!rds->read_frame_body(rds,dummybuf,frameInfo.framesize)) return 0; --Monday, January 13, 2003, 9:23:18 PM, you wrote to bugtraq () securityfocus com: ghc> Affected Software: mpg123 (pre0.59s) http://www.mpg123.de -- ~/ZARAZA You know my name - look up my number (Beatles)
Current thread:
- Re: Local/remote mpg123 exploit Benjamin Tober (Jan 16)
- Re[2]: Local/remote mpg123 exploit 3APA3A (Jan 17)
- Re: Local/remote mpg123 exploit Gabucino (Jan 21)
- <Possible follow-ups>
- Local/remote mpg123 exploit gobbles (Jan 21)
- Re: Local/remote mpg123 exploit 3APA3A (Jan 16)
- Re: Local/remote mpg123 exploit Daniel Kobras (Jan 17)