mp3: fix buffer overflow when max_frames is too large

The function decodeFirstFrame() allocates memory based on data from the mp3 header. This can make the buffer size allocation overflow, or lead to a DoS attack with a very large buffer. Cap this buffer at 8 million frames, which should really be enough for reasonable files.
author: Max Kellermann <max@duempel.org> 2008-09-17 22:30:34 +0200
committer: Max Kellermann <max@duempel.org> 2008-09-17 22:30:34 +0200
commit: 913028a780707543a2eca0dcca61a0e8eb6b6167 (patch)
tree: e0de88d644b468aed30a039e86617c12afd7d4a1 /src/inputPlugins
parent: ef0e2fdc1b4d080d7cdf912660eaae8ec9103120 (diff)
download: mpd-913028a780707543a2eca0dcca61a0e8eb6b6167.tar.gz
mpd-913028a780707543a2eca0dcca61a0e8eb6b6167.tar.xz
mpd-913028a780707543a2eca0dcca61a0e8eb6b6167.zip
1 files changed, 5 insertions, 0 deletions
diff --git a/src/inputPlugins/mp3_plugin.c b/src/inputPlugins/mp3_plugin.c
index 24e0c368f..cd66d77c3 100644
--- a/src/inputPlugins/mp3_plugin.c
+++ b/src/inputPlugins/mp3_plugin.c
@@ -776,6 +776,11 @@ static int decodeFirstFrame(mp3DecodeData * data,
 
 	if (!data->maxFrames) return -1;
 
+	if (data->maxFrames > 8 * 1024 * 1024) {
+		ERROR("mp3 file header indicates too many frames: %lu", data->maxFrames);
+		return -1;
+	}
+
 	data->frameOffset = xmalloc(sizeof(long) * data->maxFrames);
 	data->times = xmalloc(sizeof(mad_timer_t) * data->maxFrames);
author	Max Kellermann <max@duempel.org>	2008-09-17 22:30:34 +0200
committer	Max Kellermann <max@duempel.org>	2008-09-17 22:30:34 +0200
commit	913028a780707543a2eca0dcca61a0e8eb6b6167 (patch)
tree	e0de88d644b468aed30a039e86617c12afd7d4a1 /src/inputPlugins
parent	ef0e2fdc1b4d080d7cdf912660eaae8ec9103120 (diff)
download	mpd-913028a780707543a2eca0dcca61a0e8eb6b6167.tar.gz mpd-913028a780707543a2eca0dcca61a0e8eb6b6167.tar.xz mpd-913028a780707543a2eca0dcca61a0e8eb6b6167.zip