multiple security vulnerabilities in taglib
zubin.mithra at gmail.com
Sun Mar 4 03:41:20 UTC 2012
Dhanesh K. and myself had performed a vulnerability assessment of the
taglib library(http://developer.kde.org/~wheeler/taglib.html). A few
vulnerabilities that were found include :-
- Sanity checks are not performed for fields read from a media file, which
are used to allocate memory later on. Causes DoS due to application crash
at the very least, exploitability is unconfirmed.
An example :-
APE::Item::parse(const ByteVector &data)
d->key = String(data.mid(8), String::UTF8);
- ogg/xiphcomment.cpp, Ogg::XiphComment::parse(const ByteVector &data)
Control over "vendorLength" and can cause a string allocation with that
size. Control over "commentFields" which is the number of times,
"commentLength" is read and a string of size "commandLength" is allocated.
Causes DoS due to application crash at the very least, exploitability is
- ape/apeproperties.cpp, APE::Properties::analyzeCurrent()
Specially crafted ape media files with sampleRate being "0" could lead
to application crash, division by zero error.
d->sampleRate = header.mid(20, 4).toUInt(false);
d->length = totalBlocks / d->sampleRate;
- crafted ogg file with a 1 bit change(0=>1) at the offset 0x0000007f leads
to an infinite loop in the thread processing the tags.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the taglib-devel