NULL Pointer Dereference in the id3v2AddAudioDuration function in libmp3lame/id3tag.c in LAME 3.99.5 allows attackers to perform Denial of Service by triggering a NULL first argument (lame_t gfp).
The affected code is as follows:
static void
id3v2AddAudioDuration(lame_t gfp, double ms)
{
lame_internal_flags *gfc = gfp != 0 ? gfp->internal_flags : 0;
SessionConfig_t const *const cfg = &gfc->cfg;
char buffer[1024];
double const max_ulong = MAX_U_32_NUM;
unsigned long playlength_ms;
ms *= 1000;
ms /= cfg->samplerate_in;
if (ms > max_ulong) {
playlength_ms = max_ulong;
}
else if (ms < 0) {
playlength_ms = 0;
}
else {
playlength_ms = ms;
}
sprintf(buffer, "%lu", playlength_ms);
copyV1ToV2(gfp, ID_PLAYLENGTH, buffer);
}
On line 241,
lameinternalflags gfc = gfp != 0 ? gfp->internalflags : 0;
If gfp == 0 then gfc is assigned the value of 0, a NULL value.
Then on line 242,
SessionConfigt const const cfg = &gfc->cfg;
In the above condition cfg is being assigned a NULL value as well
Finally on line 248,
ms /= cfg->sampleratein;
The NULL pointer, cfg is being directly dereferenced.
In order to fix the issue, validate whether the pointer is assigned a NULL value or not before de-referencing it. Example code:
if (pointer1 != NULL) {
<perform_operations>
}
It will be get fixed in version 3.100.
A fix is now in CVS.