oss-sec mailing list archives
Re: mpg123: global buffer overflow in III_i_stereo (layer3.c)
From: "Dr. Thomas Orgis" <thomas.orgis () uni-hamburg de>
Date: Tue, 11 Jul 2017 15:50:08 +0200
Am Tue, 11 Jul 2017 14:59:09 +0200 schrieb Jonas Thiem <jonas@thiem.email>:
On 11.07.2017 10:02, Dr. Thomas Orgis wrote:My program accesses memory that belongs to my program … unless the compiler inserts forbidden zones in there.So why do you know for sure that no program would store private keys or other sensitive data there? Or is this only static data by the mp3 library itself?
I am speaking of memory allocated for static variables inside the library we are talking about. This is in a source file of the lib: static real pow1_1[2][16],pow2_1[2][16],pow1_2[2][16],pow2_2[2][16]; struct bandInfoStruct { unsigned short longIdx[23]; unsigned char longDiff[22]; unsigned short shortIdx[14]; unsigned char shortDiff[13]; }; static const struct bandInfoStruct bandInfo[9] = {{ {0,4,8,12,16,20,24,30,36,44,52,62,74, 90,110,134,162,196,238,288,342,418,576}, {4,4,4,4,4,4,6,6,8, 8,10,12,16,20,24,28,34,42,50,54, 76,158}, {0,4*3,8*3,12*3,16*3,22*3,30*3,40*3,52*3,66*3, 84*3,106*3,136*3,192*3}, {4,4,4,4,6,8,10,12,14,18,22,30,56} The bug is that accesses to the pow arrays, at worst pow_2_2, can happen with 31 in the last index instead of 15. You squarely land up to 128 bytes (for real==float) into the bandInfo array. Not sure if one could trigger a floating point exception with the values of bandInfo (I see only floating point representatiosn of zero in there with a qick test) … but I do not see disclosure of any secrets. Anyhow, we're generating lots of noise over an issue that of course is fixed now with the released mpg123-1.25.2. Regardless on how serious you think it is, the upgrade is of course encouraged. Moving on to new bugs … Alrighty then, Thomas -- Dr. Thomas Orgis Universität Hamburg RRZ / Basis-Infrastruktur / HPC Schlüterstr. 70 20146 Hamburg Tel.: 040/42838 8826 Fax: 040/428 38 6270
Attachment:
smime.p7s
Description:
Current thread:
- mpg123: global buffer overflow in III_i_stereo (layer3.c) Agostino Sarubbo (Jul 10)
- Re: mpg123: global buffer overflow in III_i_stereo (layer3.c) Dr. Thomas Orgis (Jul 10)
- Re: mpg123: global buffer overflow in III_i_stereo (layer3.c) Agostino Sarubbo (Jul 10)
- Re: mpg123: global buffer overflow in III_i_stereo (layer3.c) Seth Arnold (Jul 10)
- Re: mpg123: global buffer overflow in III_i_stereo (layer3.c) Kurt Seifried (Jul 10)
- Re: mpg123: global buffer overflow in III_i_stereo (layer3.c) Michal Zalewski (Jul 10)
- Re: mpg123: global buffer overflow in III_i_stereo (layer3.c) Kurt Seifried (Jul 10)
- Re: mpg123: global buffer overflow in III_i_stereo (layer3.c) Dr. Thomas Orgis (Jul 11)
- Re: mpg123: global buffer overflow in III_i_stereo (layer3.c) Jonas Thiem (Jul 11)
- Re: mpg123: global buffer overflow in III_i_stereo (layer3.c) Dr. Thomas Orgis (Jul 11)
- Re: mpg123: global buffer overflow in III_i_stereo (layer3.c) Dr. Thomas Orgis (Jul 10)