mpg123-users

[mpg123-users] Do mpg123_distversion and mpg123_libversion really not exist?

[Martin G. <mar...@gm...>]

Thanks again. On a different subject, I thought I'd check for the mpg123 
version being earlier than 1.32.8 before setting NO_FRANKENSTEIN, but am 
getting that mpg123_distversion() is undefined despite being documented 
and I can't find any mention of it in mpg123.h, (nor of 
mpg123_libversion() as it happens) only the #define MPG123_API_VERSION.


If mpg123_*version() really don't exist, I thought I could enable 
monster protection if MPG123_API_VERSION <= 47 and ask you to bump the 
API_VERSION in the next release but just noticed that its value has 
dropped from 48 to 47 between 1.32.7 and 1.32.8 so I'm now even more 
confused than before.


It would be nice to let people deal with monster files safely in the 
future - how should I proceed?


Blessings


     M

Re: [mpg123-users] Do mpg123_distversion and mpg123_libversion really not exist?

[Martin G. <mar...@gm...>]

On 30/10/24 04:54, Martin Guy wrote:

>
> If mpg123_*version() really don't exist, I thought I could enable 
> monster protection if MPG123_API_VERSION <= 47 and ask you to bump the 
> API_VERSION in the next release but just noticed that its value has 
> dropped from 48 to 47 between 1.32.7 and 1.32.8 so I'm now even more 
> confused than before.


Oops, my bad. I was looking at the installed header (Debian stable) not 
the 1.32.8 header. Definitely confused.


Instead, both 1.32.7 and 1.32.8 have


     #define MPG123_API_VERSION 48
     /** library patch level at client build time */
     #define MPG123_PATCHLEVEL  2


so maybe the PATCHLEVEL could be bumped in the next micro release so 
that there will be something to check against to have everything smooth 
out at some point in the future.


Sorry for the noise


     M

Re: [mpg123-users] Do mpg123_distversion and mpg123_libversion really not exist?

[Thomas O. <tho...@or...>]

Am Wed, 30 Oct 2024 05:13:55 +0100
schrieb Martin Guy <mar...@gm...>: 

> Instead, both 1.32.7 and 1.32.8 have
> 
> 
>      #define MPG123_API_VERSION 48
>      /** library patch level at client build time */
>      #define MPG123_PATCHLEVEL  2

Yes, you noticed correclty. I've also seen that just after doing the
release and am _really_ annoyed by this mistake. I'll have to push a
1.32.9, I guess. People then can check for API 48 patchlevel 3. But
this does not yet really matter for running more conservative Linux
distros, as those don't yet have picked up 1.32 at all and there is no
mpg123_libversion().

> so maybe the PATCHLEVEL could be bumped in the next micro release so 
> that there will be something to check against to have everything smooth 
> out at some point in the future.

Well, what you can do is check the distversion. If it is present and
indicates ≥ 1.32.8, you got the fix. The MPG123_PATCHLEVEL only helps
you at build-time, anyway.

#include <mpg123.h>
#include <stdio.h>

int main()
{
  unsigned maj=0, min=0, patch=0;
  mpg123_distversion(&maj, &min, &patch);
  if((maj == 1 && min < 32) || (maj == 1 && min == 32 && patch < 8))
  {
     printf("vulnerable\n");
     return 1;
  }
  return 0;
}


Once the new release is out, this simplifies to

int main()
{
  unsigned api=0, patch=0;
  api = mpg123_libversion(&patch);
  if(api < 48 || (api == 48 && patch < 3))
  {
     printf("vulnerable\n");
     return 1;
  }
  return 0;
}

Sorry for the messup.


Alrighty then,

Thomas

Re: [mpg123-users] Do mpg123_distversion and mpg123_libversion really not exist?

[Martin G. <mar...@gm...>]

On 01/11/24 09:03, Thomas Orgis wrote:
> Am Wed, 30 Oct 2024 05:13:55 +0100
> schrieb Martin Guy <mar...@gm...>:
>> Instead, both 1.32.7 and 1.32.8 have
>>
>>       #define MPG123_API_VERSION 48
>>       /** library patch level at client build time */
>>       #define MPG123_PATCHLEVEL  2
>   The MPG123_PATCHLEVEL only helps you at build-time, anyway.

Build time is fine by me - but can a distributed binary dynamically link 
against different versions of libmpg123 depending where it lands?


It seems that even MPG123_API_VERSION appeared at some point between 
1.0.0 and now, and I'm not hacking the configure script to check for the 
existence of mpg123_*version() so I'm using:


+  error = mpg123_param(p->handle, MPG123_FLAGS, MPG123_FUZZY | 
MPG123_SEEKBUFFER | MPG123_GAPLESS | MPG123_FORCE_FLOAT

+  /* Before mpg123-1.32.8 there was a potential exploit for which one 
workaround
+   * is to set MPG123_NO_FRANKENSTEIN but there seems to be no way to check
+   * the exact mpg123 version (mpg123_distversion() is undefined),
+   * so do this for all versions up to and including the fixed version
+   * so that in the future this workaround will go away.
+   * https://mpg123.de/#2024-10-26
+   */
+#if !defined(MPG123_API_VERSION) || !defined(MPG123_PATCHLEVEL) || 
MPG123_API_VERSION < 48 || (MPG123_API_VERSION == 48 && 
MPG123_PATCHLEVEL <= 2)
+                                 | MPG123_NO_FRANKENSTEIN
+#endif
+                                 , 0);


so it should be OK even if PATCHLEVEL++ happens in the far future.


> Sorry for the messup.

Worry not, old friend. The more you do, the more mistakes you make.

You should *see* some of the mistakes I make, and a lot of them 
embarrassingly public.

Fixing a stupid compiler warning with a bracket in the wrong place and 
making the reverb distort. The test suite caught that before it went 
public, thank Knuth.

The only ones who don't make mistakes are the ones who never do anything

Alrighty then

     M

Re: [mpg123-users] Do mpg123_distversion and mpg123_libversion really not exist?

[Thomas O. <tho...@or...>]

See released 1.32.9 now...and just a small one:

>+   * so that in the future this workaround will go away.
>+   * https://mpg123.de/#2024-10-26
>+   */

A more permanent link is

<https://mpg123.de/cgi-bin/news.cgi#2024-10-26>

Thr 1.32 news will vanish from the main page once 1.33 arrives.


Alrighty then,

Thomas