oss-sec mailing list archives
Re: mpg123: global buffer overflow in III_i_stereo (layer3.c)
From: "Dr. Thomas Orgis" <thomas.orgis () uni-hamburg de>
Date: Tue, 11 Jul 2017 10:02:02 +0200
Thanks to all for the clarifications. Am Mon, 10 Jul 2017 20:24:01 -0600 schrieb Kurt Seifried <kseifried () redhat com>:
On 2017-07-10 8:04 PM, Michal Zalewski wrote:It's hard to see a security issue hereI'm not sure this applies here, but the use of uninitialized memory can be an issue when, say, a website calls your code to convert user-controlled audio (e.g., to optimize it for streaming).
Yeah, in this case it is read access spilling over to adjacent static variables in the code. They are either contstant at compile-time or initialised to the same values on each run.
Heartbleed was "only" 64k (that's actually a pretty huge amount for sensitive data).
Here, it's 128 bytes of an adjacent table instead of the intended one (planned for a 4-bit index, got a 5-bit one). It's bad audio being produced, but from input that very likely was bad to begin with (still no valid input data at hand that triggers this). I would like the CVE description to mention that this is only Denial of Service with something like the AddressSanitizer, as it is guaranteed to be memory belonging to the respective process, just up to 128 bytes off the mark. Not even heap buffers involved. Of course this was not clear when reporting, but it's really just those 128 bytes inside static variables in the code. My program accesses memory that belongs to my program … unless the compiler inserts forbidden zones in there. I am not bothered enough to dispute the CVE. In the end it's a bug and it had to be fixed. But I won't mention the CVE in the commit message as it's already done and you don't change history with subversion. You will have to make do with the entry in the NEWS file on release;-) Alrighty then, Thomas -- Dr. Thomas Orgis Universität Hamburg RRZ / Basisinfrastruktur / HPC Schlüterstr. 70 20146 Hamburg Tel.: 040/42838 8826 Fax: 040/428 38 6270
Attachment:
smime.p7s
Description:
Current thread:
- mpg123: global buffer overflow in III_i_stereo (layer3.c) Agostino Sarubbo (Jul 10)
- Re: mpg123: global buffer overflow in III_i_stereo (layer3.c) Dr. Thomas Orgis (Jul 10)
- Re: mpg123: global buffer overflow in III_i_stereo (layer3.c) Agostino Sarubbo (Jul 10)
- Re: mpg123: global buffer overflow in III_i_stereo (layer3.c) Seth Arnold (Jul 10)
- Re: mpg123: global buffer overflow in III_i_stereo (layer3.c) Kurt Seifried (Jul 10)
- Re: mpg123: global buffer overflow in III_i_stereo (layer3.c) Michal Zalewski (Jul 10)
- Re: mpg123: global buffer overflow in III_i_stereo (layer3.c) Kurt Seifried (Jul 10)
- Re: mpg123: global buffer overflow in III_i_stereo (layer3.c) Dr. Thomas Orgis (Jul 11)
- Re: mpg123: global buffer overflow in III_i_stereo (layer3.c) Jonas Thiem (Jul 11)
- Re: mpg123: global buffer overflow in III_i_stereo (layer3.c) Dr. Thomas Orgis (Jul 11)
- Re: mpg123: global buffer overflow in III_i_stereo (layer3.c) Dr. Thomas Orgis (Jul 10)