Menu

#472 NULL Pointer Dereference in id3v2AddAudioDuration

Quality
closed-fixed
1
2017-08-28
2017-08-28
No

NULL Pointer Dereference in the id3v2AddAudioDuration function in libmp3lame/id3tag.c in LAME 3.99.5 allows attackers to perform Denial of Service by triggering a NULL first argument (lame_t gfp).

The affected code is as follows:

static void
id3v2AddAudioDuration(lame_t gfp, double ms)
{
    lame_internal_flags *gfc = gfp != 0 ? gfp->internal_flags : 0;
    SessionConfig_t const *const cfg = &gfc->cfg;
    char    buffer[1024];
    double const max_ulong = MAX_U_32_NUM;
    unsigned long playlength_ms;

    ms *= 1000;
    ms /= cfg->samplerate_in;
    if (ms > max_ulong) {
        playlength_ms = max_ulong;
    }
    else if (ms < 0) {
        playlength_ms = 0;
    }
    else {
        playlength_ms = ms;
    }
    sprintf(buffer, "%lu", playlength_ms);
    copyV1ToV2(gfp, ID_PLAYLENGTH, buffer);
    }

On line 241,

lameinternalflags gfc = gfp != 0 ? gfp->internalflags : 0;

If gfp == 0 then gfc is assigned the value of 0, a NULL value.

Then on line 242,

SessionConfigt const const cfg = &gfc->cfg;

In the above condition cfg is being assigned a NULL value as well

Finally on line 248,

ms /= cfg->sampleratein;

The NULL pointer, cfg is being directly dereferenced.

In order to fix the issue, validate whether the pointer is assigned a NULL value or not before de-referencing it. Example code:

if (pointer1 != NULL) {
    <perform_operations>
}

Discussion

  • Robert Hegemann

    Robert Hegemann - 2017-08-28
    • assigned_to: Robert Hegemann
     
  • Robert Hegemann

    Robert Hegemann - 2017-08-28

    It will be get fixed in version 3.100.

     
  • Robert Hegemann

    Robert Hegemann - 2017-08-28
    • status: open --> closed-fixed
     
  • Robert Hegemann

    Robert Hegemann - 2017-08-28

    A fix is now in CVS.

     

Log in to post a comment.