mp3: fix buffer overflow when max_frames is too large

The function decodeFirstFrame() allocates memory based on data from the mp3 header. This can make the buffer size allocation overflow, or lead to a DoS attack with a very large buffer. Cap this buffer at 8 million frames, which should really be enough for reasonable files.

mp3: fix buffer overflow when max_frames is too large
913028a7 · Max Kellermann · ef0e2fdc · 913028a7
Commit 913028a7 authored Sep 17, 2008 by Max Kellermann
Show whitespace changes
Inline Side-by-side

Showing with 5 additions and 0 deletions

mp3_plugin.c src/inputPlugins/mp3_plugin.c +5 -0

No files found.
--- a/src/inputPlugins/mp3_plugin.c
+++ b/src/inputPlugins/mp3_plugin.c
@@ -776,6 +776,11 @@ static int decodeFirstFrame(mp3DecodeData * data,

 	if (!data->maxFrames) return -1;

+	if (data->maxFrames > 8 * 1024 * 1024) {
+		ERROR("mp3 file header indicates too many frames: %lu", data->maxFrames);
+		return -1;
+	}
+
 	data->frameOffset = xmalloc(sizeof(long) * data->maxFrames);
 	data->times = xmalloc(sizeof(mad_timer_t) * data->maxFrames);