Mans Rullgard
-
2019-04-24
- status: open --> closed-fixed
In fft4g.c function bitrv2, there is no check on the value passed to the argument "n". If the value of "n" is big enough, it results in "m + l" have a value more than 256. However, the buffer "ip" is statically allocated to be 256, hence it will be a stack-buffer-overflow. Attached is a sample of the input file. The command to trigger the bug is --single-threaded <file> -t aiff /dev/null channels 1 rate 16k fade 3 norm. An information about the binary: 32 bit, limited to 800MB memory, under Linux Ubuntu 16.04, compiled with libmad only.</file>