Forgot to say that the diff looks fine.
=============================================
Eric Hyche (ehyche real.com)
Technical Lead
RealNetworks, Inc.
> -----Original Message-----
> From: datatype-dev-bounceshelixcommunity.org
> [mailto:datatype-dev-bounceshelixcommunity.org] On
Behalf Of
> Todd Zupan
> Sent: Friday, September 29, 2006 1:08 PM
> To: datatype-devhelixcommunity.org
> Subject: [datatype-dev] RE: heap overflow in mp3 ID3
tag parsing
>
> Resending to proper address.
>
> ________________________________
>
> From: Todd Zupan [mailto:tzupanreal.com]
> Sent: Thursday, September 28, 2006 5:46 PM
> To: datatype-devlists.helixcommunity.org
> Subject: heap overflow in mp3 ID3 tag parsing
>
>
>
> There is an error in the ID3Lib code when parsing the
size of
> certain tags. The tag size is calculated with an atoi
call
> on a 5 character string (read from the file), but the
problem
> is that the value is converted to an unsigned value
without
> checking it first. A malicious (or corrupted) file can
set
> the string that stores the length to -1, which gets
converted
> to 0xFFFFFFFF (when it's converted to an unsigned
value).
> Since no checking is done on this size, the library
will
> allocate a buffer of that size and try to read the data
into
> it. The fix is to also store the signed value when
calling
> atoi, and check that for invalid results (make sure the
size
> stored is an appropriate size, which should just be
> 0).
>
>
>
> I have attached the DIFF for a possible fix which I
will
> submit a CR for later. I wanted to know what branches
it
> needs to be checked into, though. I am working off a
local
> branch, but I know this error is still present in the
HEAD
> branch, as well as cay150. Are there any other
branches that
> this will need to be checked into?
>
>
>
> Thanks,
>
>
>
> Todd Zupan
>
> RealNetworks
>
>
_______________________________________________
Datatype-dev mailing list
Datatype-devhelixcommunity.org
http://lists.helixcommunity.org/mailman/listinfo/da
tatype-dev
|