<br><div class="gmail_quote">2012/3/4 Lukáš Lalinský <span dir="ltr"><<a href="mailto:lalinsky@gmail.com">lalinsky@gmail.com</a>></span><br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Thank you for the bug reports.<br>
<div class="im"><br>
On Sun, Mar 4, 2012 at 4:41 AM, Zubin Mithra <<a href="mailto:zubin.mithra@gmail.com">zubin.mithra@gmail.com</a>> wrote:<br>
> - Sanity checks are not performed for fields read from a media file, which<br>
> are used to allocate memory later on. Causes DoS due to application crash at<br>
> the very least, exploitability is unconfirmed.<br>
><br>
> An example :-<br>
> apeitem.cpp<br>
> APE::Item::parse(const ByteVector &data)<br>
> d->key = String(data.mid(8), String::UTF8);<br>
<br>
</div>This doesn't necessarily cause problems, because the data array only<br>
contains real data from the file. If the file is too large, I think<br>
it's reasonable that it tries to allocate such large string.<br>
<br>
On the other hand, maybe I overlooked something. If so, could you<br>
please provide a file where this happens.<br>
<div class="im"><br>
> - ogg/xiphcomment.cpp, Ogg::XiphComment::parse(const ByteVector &data)<br>
> Control over "vendorLength" and can cause a string allocation with that<br>
> size. Control over "commentFields" which is the number of times,<br>
> "commentLength" is read and a string of size "commandLength" is allocated.<br>
> Causes DoS due to application crash at the very least, exploitability is<br>
> unconfirmed.<br>
<br>
</div>The same here, it won't try to allocate a string that is larger than<br>
the actual data length. So this happens only for files that are<br>
actually that large, simply modifying the length field in the file<br>
will not cause problems.<br>
<br>
There was one related bug, if the file was too large, it would read<br>
the vendorLength incorrectly. Fixed in<br>
<a href="https://github.com/taglib/taglib/commit/ab8a0ee8937256311e649a88e8ddd7c7f870ad59" target="_blank">https://github.com/taglib/taglib/commit/ab8a0ee8937256311e649a88e8ddd7c7f870ad59</a><br>
<div class="im"><br>
> - ape/apeproperties.cpp, APE::Properties::analyzeCurrent()<br>
> Specially crafted ape media files with sampleRate being "0" could lead<br>
> to application crash, division by zero error.<br>
><br>
> d->sampleRate = header.mid(20, 4).toUInt(false);<br>
> d->length = totalBlocks / d->sampleRate;<br>
<br>
</div>Fixed in <a href="https://github.com/taglib/taglib/commit/77d61c6eca4d08b9b025738acf6b926cc750db23" target="_blank">https://github.com/taglib/taglib/commit/77d61c6eca4d08b9b025738acf6b926cc750db23</a><br>
<div class="im"><br>
> - crafted ogg file with a 1 bit change(0=>1) at the offset 0x0000007f leads<br>
> to an infinite loop in the thread processing the tags.<br>
<br>
</div>I have trouble reproducing this. Could you send me the modified file<br>
to <a href="mailto:lalinsky@gmail.com">lalinsky@gmail.com</a>?<br></blockquote><div><br></div><div>Thank you for your quick response, I shall send over the files asap.</div><div><br></div><div>Cheers,</div><div>zm</div><div>
</div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<br>
Lukas<br>
_______________________________________________<br>
taglib-devel mailing list<br>
<a href="mailto:taglib-devel@kde.org">taglib-devel@kde.org</a><br>
<a href="https://mail.kde.org/mailman/listinfo/taglib-devel" target="_blank">https://mail.kde.org/mailman/listinfo/taglib-devel</a><br>
</blockquote></div><br>