mpg321: Out-of-bounds Write

[Ren Kimura <rkx1209dev () gmail com>]

Hi.
mpg321 is a free command-line mp3 player that is commonly available on
many Linux distributions.
For example, in ubuntu you can download the latest mpg321 by "apt-get
install mpg321."

latest mpg321 0.3.2, in scan() in mad.c calculate the number of frames
using bit rate.
If crafted mp3 whose bit rate equal 0 is taken, sampling time become
INF value due to floating point division by 0.
As a result, the frame number become a very large (1<<63), leading out
of bounds write, memory corruption at mad.c:285.
note. frames buffer have been allocated only 8-byte at mpg321.c:990.

I'll request a CVE ID from MITRE.

ASAN crash traces:

Playing MPEG stream from mpg321_0.3.2_memory_corruption.mp3 ...
=================================================================
==18648==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x6020000000d8 at pc 0x555555566c18 bp 0x7fffffffb3$
0 sp 0x7fffffffb3c0
WRITE of size 8 at 0x6020000000d8 thread T0
    #0 0x555555566c17 in read_header
/home/rkx/Programming/OSS/research/results/2/mpg321-0.3.2/mad.c:285
    #1 0x7ffff64c0594  (/usr/lib/x86_64-linux-gnu/libmad.so.0+0x5594)
    #2 0x7ffff64c0b82 in mad_decoder_run
(/usr/lib/x86_64-linux-gnu/libmad.so.0+0x5b82)
    #3 0x5555555607fb in main
/home/rkx/Programming/OSS/research/results/2/mpg321-0.3.2/mpg321.c:1092
    #4 0x7ffff5b43b96 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
    #5 0x555555562779 in _start
(/home/rkx/Programming/OSS/research/results/2/mpg321-0.3.2/mpg321-asan+0xe779)

0x6020000000d8 is located 0 bytes to

0x6020000000d8 is located 0 bytes to the right of 8-byte region
[0x6020000000d0,0x6020000000d8)
allocated by thread T0 here:
    #0 0x7ffff6ef8b50 in __interceptor_malloc
(/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb50)
    #1 0x555555561b51 in main
/home/rkx/Programming/OSS/research/results/2/mpg321-0.3.2/mpg321.c:990

SUMMARY: AddressSanitizer: heap-buffer-overflow
/home/rkx/Programming/OSS/research/results/2/mpg321-0.3.2/mad.c:285 in
 read_header
Shadow bytes around the buggy address:
  0x0c047fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff8000: fa fa 06 fa fa fa 06 fa fa fa 01 fa fa fa 00 00
=>0x0c047fff8010: fa fa 00 00 fa fa 06 fa fa fa 00[fa]fa fa 00 00
  0x0c047fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa

Ren Kimura

Attachment: mpg321_0.3.2_memory_corruption.mp3
Description: