aboutsummaryrefslogtreecommitdiffstats
path: root/src/inputPlugins
diff options
context:
space:
mode:
authorMax Kellermann <max@duempel.org>2008-09-17 22:30:34 +0200
committerEric Wong <normalperson@yhbt.net>2008-09-17 14:23:40 -0700
commitebaee174fc6cdc15a94654239de97ee55f7de5b2 (patch)
tree5fcd3095c58c6fadfe3a69cc0e8642c12d316a17 /src/inputPlugins
parentf851baf8c6e7cfc8d8b2bf904d8c090e70618190 (diff)
downloadmpd-ebaee174fc6cdc15a94654239de97ee55f7de5b2.tar.gz
mpd-ebaee174fc6cdc15a94654239de97ee55f7de5b2.tar.xz
mpd-ebaee174fc6cdc15a94654239de97ee55f7de5b2.zip
mp3: fix buffer overflow when max_frames is too large
The function decodeFirstFrame() allocates memory based on data from the mp3 header. This can make the buffer size allocation overflow, or lead to a DoS attack with a very large buffer. Cap this buffer at 8 million frames, which should really be enough for reasonable files.
Diffstat (limited to 'src/inputPlugins')
-rw-r--r--src/inputPlugins/mp3_plugin.c5
1 files changed, 5 insertions, 0 deletions
diff --git a/src/inputPlugins/mp3_plugin.c b/src/inputPlugins/mp3_plugin.c
index ff3de80a3..bc1fb50c5 100644
--- a/src/inputPlugins/mp3_plugin.c
+++ b/src/inputPlugins/mp3_plugin.c
@@ -774,6 +774,11 @@ static int decodeFirstFrame(mp3DecodeData * data,
if (!data->maxFrames) return -1;
+ if (data->maxFrames > 8 * 1024 * 1024) {
+ ERROR("mp3 file header indicates too many frames: %lu", data->maxFrames);
+ return -1;
+ }
+
data->frameOffset = xmalloc(sizeof(long) * data->maxFrames);
data->times = xmalloc(sizeof(mad_timer_t) * data->maxFrames);