oss-sec mailing list archives

Re: mp3gain: NULL pointer dereference in sync_buffer (mpglibDBL/interface.c)

From: Simon McVittie <smcv () debian org>
Date: Thu, 14 Sep 2017 08:24:45 +0100

On Thu, 14 Sep 2017 at 07:00:25 +0000, Agostino Sarubbo wrote:

The fuzz was done via the aacgain command-line tool which uses mp3gain
which bundles an old-modified version of mpg123 called mpglibDBL.


I wouldn't recommend putting effort into fuzzing mp3gain. mpglibDBL
is known to have security vulnerabilities anyway:
https://security-tracker.debian.org/tracker/source-package/mp3gain
(I wonder whether you've rediscovered those, or found new vulnerabilities?)

It probably also suffers from most other historical vulnerabilities
that are listed for mpg123. We removed it from Debian in 2014,
with a recommendation to use the rgain Python package instead:
https://tracker.debian.org/pkg/rgain

rgain uses libmad or ffmpeg via GStreamer for decoding, so it isn't
exactly bug-free either; but those libraries are actively maintained,
and when they have vulnerabilities, they'd need to be fixed anyway for
the benefit of other packages.

Regards,
    smcv

Current thread:

mp3gain: NULL pointer dereference in sync_buffer (mpglibDBL/interface.c) Agostino Sarubbo (Sep 14)
- Re: mp3gain: NULL pointer dereference in sync_buffer (mpglibDBL/interface.c) Simon McVittie (Sep 14)
  - Re: mp3gain: NULL pointer dereference in sync_buffer (mpglibDBL/interface.c) Agostino Sarubbo (Sep 14)
    - Re: mp3gain: NULL pointer dereference in sync_buffer (mpglibDBL/interface.c) Dr. Thomas Orgis (Sep 14)
    - Re: mp3gain: NULL pointer dereference in sync_buffer (mpglibDBL/interface.c) Agostino Sarubbo (Sep 14)
- Re: mp3gain: NULL pointer dereference in sync_buffer (mpglibDBL/interface.c) Dr. Thomas Orgis (Sep 14)