From 913028a780707543a2eca0dcca61a0e8eb6b6167 Mon Sep 17 00:00:00 2001 From: Max Kellermann Date: Wed, 17 Sep 2008 22:30:34 +0200 Subject: mp3: fix buffer overflow when max_frames is too large The function decodeFirstFrame() allocates memory based on data from the mp3 header. This can make the buffer size allocation overflow, or lead to a DoS attack with a very large buffer. Cap this buffer at 8 million frames, which should really be enough for reasonable files. --- src/inputPlugins/mp3_plugin.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/src/inputPlugins/mp3_plugin.c b/src/inputPlugins/mp3_plugin.c index 24e0c368f..cd66d77c3 100644 --- a/src/inputPlugins/mp3_plugin.c +++ b/src/inputPlugins/mp3_plugin.c @@ -776,6 +776,11 @@ static int decodeFirstFrame(mp3DecodeData * data, if (!data->maxFrames) return -1; + if (data->maxFrames > 8 * 1024 * 1024) { + ERROR("mp3 file header indicates too many frames: %lu", data->maxFrames); + return -1; + } + data->frameOffset = xmalloc(sizeof(long) * data->maxFrames); data->times = xmalloc(sizeof(mad_timer_t) * data->maxFrames); -- cgit v1.2.3