Menu
▾
▴
#477 Null Pointer Dereference from crafted mpg file
There seems to be a NULL Pointer Dereference issue in the hip_t hip_decode_init function within /lame-3.99.5/libmp3lame/mpglib_interface.c that can be triggered by supplying a malformed mpg file. The issue results from the use of calloc to allocate a memory block the size of sizeof(hip_global_flags).
Knowing how calloc works, if the output of sizeof(hip_global_flags) is >65535, calloc will return a NULL Pointer.
This NULL Pointer is then being passed to InitMp3 function and being dereferenced inmemset(mp, 0, sizeof(MPSTR));
Maybe using:
if (mp != NULL)
memset(mp, 0, sizeof(MPSTR));
would be a better implementation of the code.
Could you attach a reproducer file to this issue report, thanks?
Henri, I don't have a file which reproduces this Null Pointer Dereference condition. This was found purely by looking at the source.
So, if it would be a problem, then any mpeg input file would trigger it. But I never got feedback in years, that it actually happens.
Unless I'm wrong, but the 3.100 upstream version introduced a check in InitMP3 before doing the memset.
As Salvatore points out, this issue (CVE-2017-15019) appears to be addressed with https://sourceforge.net/p/lame/svn/6386/tree/trunk/lame/mpglib/interface.c?diff=59e1c885dab7b929b5817e2e:6385