Re: mpg123: global buffer overflow in III_i_stereo (layer3.c)

["Dr. Thomas Orgis" <thomas.orgis () uni-hamburg de>]

Am Tue, 11 Jul 2017 14:59:09 +0200
schrieb Jonas Thiem <jonas@thiem.email>:

> On 11.07.2017 10:02, Dr. Thomas Orgis wrote:
> > My program accesses memory that belongs
> > to my program … unless the compiler inserts forbidden zones in there.  
>
> So why do you know for sure that no program would store private keys or
> other sensitive data there? Or is this only static data by the mp3
> library itself?

I am speaking of memory allocated for static variables inside the
library we are talking about. This is in a source file of the lib:

static real pow1_1[2][16],pow2_1[2][16],pow1_2[2][16],pow2_2[2][16]; 

struct bandInfoStruct
{
        unsigned short longIdx[23];
        unsigned char longDiff[22];
        unsigned short shortIdx[14];
        unsigned char shortDiff[13];
};

static const struct bandInfoStruct bandInfo[9] = {{
{0,4,8,12,16,20,24,30,36,44,52,62,74, 90,110,134,162,196,238,288,342,418,576},
{4,4,4,4,4,4,6,6,8, 8,10,12,16,20,24,28,34,42,50,54, 76,158},
{0,4*3,8*3,12*3,16*3,22*3,30*3,40*3,52*3,66*3, 84*3,106*3,136*3,192*3},
{4,4,4,4,6,8,10,12,14,18,22,30,56}


The bug is that accesses to the pow arrays, at worst pow_2_2, can happen
with 31 in the last index instead of 15. You squarely land up to 128
bytes (for real==float) into the bandInfo array. Not sure if one could
trigger a floating point exception with the values of bandInfo (I see
only floating point representatiosn of zero in there with a qick test)
… but I do not see disclosure of any secrets.

Anyhow, we're generating lots of noise over an issue that of course is
fixed now with the released mpg123-1.25.2. Regardless on how serious
you think it is, the upgrade is of course encouraged. Moving on to new
bugs …


Alrighty then,

Thomas

-- 
Dr. Thomas Orgis
Universität Hamburg
RRZ / Basis-Infrastruktur / HPC
Schlüterstr. 70
20146 Hamburg
Tel.: 040/42838 8826
Fax: 040/428 38 6270

Attachment: smime.p7s
Description: