From ebaee174fc6cdc15a94654239de97ee55f7de5b2 Mon Sep 17 00:00:00 2001
From: Max Kellermann <max@duempel.org>
Date: Wed, 17 Sep 2008 22:30:34 +0200
Subject: mp3: fix buffer overflow when max_frames is too large

The function decodeFirstFrame() allocates memory based on data from
the mp3 header.  This can make the buffer size allocation overflow, or
lead to a DoS attack with a very large buffer.  Cap this buffer at 8
million frames, which should really be enough for reasonable files.
---
 src/inputPlugins/mp3_plugin.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/src/inputPlugins/mp3_plugin.c b/src/inputPlugins/mp3_plugin.c
index ff3de80a3..bc1fb50c5 100644
--- a/src/inputPlugins/mp3_plugin.c
+++ b/src/inputPlugins/mp3_plugin.c
@@ -774,6 +774,11 @@ static int decodeFirstFrame(mp3DecodeData * data,
 
 	if (!data->maxFrames) return -1;
 
+	if (data->maxFrames > 8 * 1024 * 1024) {
+		ERROR("mp3 file header indicates too many frames: %lu", data->maxFrames);
+		return -1;
+	}
+
 	data->frameOffset = xmalloc(sizeof(long) * data->maxFrames);
 	data->times = xmalloc(sizeof(mad_timer_t) * data->maxFrames);
 
-- 
cgit v1.2.3