#132 Infinite loop when parsing WAV file

[Anonymous]

Hello, I manage a music dstribution site. Sometimes people upload WAV files isntead of MP3s and we run tham through mpg123 -t to test if they're really mp3s with a bad extension, or even if they're something else mislabeled as mp3. Usually it's no problem. However we recently ran across a file that triggered an infinite loop in the mpg123 parser, wreaking havoc on our servers. Perhaps you can avoid that in a future release (tested with versions 1.9.1 and 1.10.0)

Attached is a -vvv excerpt of the mpg123 output. The loop happens on lines 960 and 669 of parser.c. If you need the original file, just ask me privately because it's 200 MB.

[Anonymous]

Infinite loop -vvv dump

[Thomas Orgis]

Well, that loop is not endless... it only feels that way because basically the file is read in steps of single bytes.
But you are right in pointing out that certain data (I reproduced it with /dev/urandom) makes mpg123 take more time than needed to determine that it's no MPEG audio.

The mpg123 code has a limit of 64K for searching the first header (disregarding known data structures like ID3v2 or RIFF headers), but that limit is counted anew many times in your case (the search starts again and again, after intermediate finding of valid headers that do not stand further tests).

I added a fix that better enforces the overall limit of 64K of single-byte reads and uploaded a prerelease that contains it: http://mpg123.org/download/mpg123-1.10.1-prerelease2.tar.bz2 .
Please test that one and report back.

[Nobody/Anonymous]

The loop is endless in my case. I have the same problem, except decode_header() fails because it "encountered free format header, but failed to guess framesize". In this case my application is feeding data with mpg123_feed(), as I'm transcoding inline (HTTP/ICY to RTSP).

This almost killed my server by filling the disk up with the log messages; apparently OpenSSH was blocking on trying to create a tty.

I'm still pouring through the code to figure out exactly why it keeps looping. As you said it should be stumbling forward, though I'm still trying to wrap my head around the I/O code.

- william@25thandClement.com

[Thomas Orgis]

Oh, free format header together with feeder mode. Well, bogus free format header, I suppose.
Free format support still has a FIXME in it for feeder mode. But, your decoding is supposed to fail in the case you hit a free format header that cannot be worked out, not go on endlessly.
Two things: Does your issue persist when you use an older mpg123 release, namely 1.8.1?
And second... is there a way to reproduce it? Test stream?

At least providing a log from a debug build of mpg123 would be very helpful.
Do you mean that you get an endless loop with "encountered free format header, but failed..." in it, looking like the first poster's log?

Did you test with the prerelease?

[Thomas Orgis]

Please have a look at the new prerelease:
http://mpg123.org/download/mpg123-1.10.1-prerelease3.tar.bz2

I fixed (bogus) free format handling for the feeder... added some hooks to make sure it advances and does not enter an endless loop (and yes, the related code is not pretty, needs rework some time...).

[Thomas Orgis]

1.10.1 has the fix.