multiple security vulnerabilities in taglib
Zubin Mithra
zubin.mithra at gmail.com
Sun Mar 4 03:41:20 UTC 2012
Hello all,
Dhanesh K. and myself had performed a vulnerability assessment of the
taglib library(http://developer.kde.org/~wheeler/taglib.html). A few
vulnerabilities that were found include :-
- Sanity checks are not performed for fields read from a media file, which
are used to allocate memory later on. Causes DoS due to application crash
at the very least, exploitability is unconfirmed.
An example :-
apeitem.cpp
APE::Item::parse(const ByteVector &data)
d->key = String(data.mid(8), String::UTF8);
- ogg/xiphcomment.cpp, Ogg::XiphComment::parse(const ByteVector &data)
Control over "vendorLength" and can cause a string allocation with that
size. Control over "commentFields" which is the number of times,
"commentLength" is read and a string of size "commandLength" is allocated.
Causes DoS due to application crash at the very least, exploitability is
unconfirmed.
- ape/apeproperties.cpp, APE::Properties::analyzeCurrent()
Specially crafted ape media files with sampleRate being "0" could lead
to application crash, division by zero error.
d->sampleRate = header.mid(20, 4).toUInt(false);
d->length = totalBlocks / d->sampleRate;
- crafted ogg file with a 1 bit change(0=>1) at the offset 0x0000007f leads
to an infinite loop in the thread processing the tags.
Regards,
Zubin Mithra
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.kde.org/pipermail/taglib-devel/attachments/20120304/488802d9/attachment.html>
More information about the taglib-devel
mailing list