oysteikt
/
mpd
0
0
Fork 0
Code Issues Pull Requests Releases Activity

mp3: fix buffer overflow when max_frames is too large 

The function decodeFirstFrame() allocates memory based on data from
the mp3 header.  This can make the buffer size allocation overflow, or
lead to a DoS attack with a very large buffer.  Cap this buffer at 8
million frames, which should really be enough for reasonable files.
This commit is contained in:
Max Kellermann 2008-09-17 22:30:34 +02:00
parent ef0e2fdc1b
commit 913028a780
1 changed files with 5 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
src/inputPlugins/mp3_plugin.c
View File

@ -776,6 +776,11 @@ static int decodeFirstFrame(mp3DecodeData * data,
if (!data->maxFrames) return -1;
if (data->maxFrames > 8 * 1024 * 1024) {
ERROR("mp3 file header indicates too many frames: %lu", data->maxFrames);
return -1;
}
data->frameOffset = xmalloc(sizeof(long) * data->maxFrames);
data->times = xmalloc(sizeof(mad_timer_t) * data->maxFrames);