#476 Division by Zero by crafted mpeg file

[Kirit Sankar Gupta]

There seems to be a division by zero happening in the get_audio_common within lame-3.99.5/frontend/get_audio.c when it is fed with a crafted audio file. This can be seen here:

int num_channels = lame_get_num_channels(gfp);

The num_channels variable gets a value from the lame_get_num_channels function. Looking at the function code:

if (is_lame_global_flags_valid(gfp)) {
   return gfp->num_channels;
}
return 0;

So if gfp is not valid, 0 is being returned, which gets assigned to the num_channels variable.

Eventually, the code flows into another similar if-block where if (is_mpeg_file_format(global_reader.input_format)) is being checked, just like in the previous instance. However, the num_channels variable is not being modified here. It is only modified in the else block, which we already know is not true.

Finally, the Division by Zero is occurring in samples_read /= num_channels;
This would cause a DoS if a crafted mpeg file is being provided to the encoder.

There should definitely be a check to confirm:

if (num_channels != 0)
    samples_read /= num_channels;

[Elio Blanca]

Are you sure this can happen in a real case?
Before calling lame_get_num_channels, you have to call the similar lame_set_num_channels, this only allows setting 1 or 2 as valid channels. Further, when a valid library init is performed, gfp is always a valid pointer.

Also, in current CVS code you can find a check against not allowed values (including channels).

[Kirit Sankar Gupta]

If there are checks against no allowed values, then this can be considered fixed.