List Info

Thread: heap overflow in mp3 ID3 tag parsing
heap overflow in mp3 ID3 tag parsing
user name
 2006-09-29 18:03:00 

  


  

    
If this fix is needed for a slip-stream release of RP10.5 for windows,
the fix should also be included in hxclient_1_2_1_neptune .

Please consult bobclarkreal.com regarding appropriate branch for RP10
for OS-X but these should be hxclient_1_2_2_neptune 

and hxclient_1_2_2_neptunei .


Thanks,

Milko




At 10:33 AM 9/29/2006, Eric Hyche wrote:



HEAD and 150Cay are the main
ones. The Nokia folks

may want the fix in Cay210S.


Eric


=============================================

Eric Hyche (ehychereal.com)

Technical Lead

RealNetworks, Inc.  


> -----Original Message-----

> From: datatype-dev-bounceshelixcommunity.org 

>
[ datatype-dev-bounceshelixcommunity.org" eudora="autourl">
mailto:datatype-dev-bounceshelixcommunity.org] On Behalf Of 

> Todd Zupan

>; Sent: Friday, September 29, 2006 1:08 PM

> To: datatype-devhelixcommunity.org

> Subject: [datatype-dev] RE: heap overflow in mp3 ID3 tag
parsing

> 

> Resending to proper address.

> 

> ________________________________

> 

> From: Todd Zupan
[ tzupanreal.com" eudora="autourl">
mailto:tzupanreal.com] 

> Sent: Thursday, September 28, 2006 5:46 PM

> To: datatype-devlists.helixcommunity.org

> Subject: heap overflow in mp3 ID3 tag parsing

> 

>  

> 

> There is an error in the ID3Lib code when parsing the size of 

> certain tags. ; The tag size is calculated with an atoi call


>; on a 5 character string (read from the file), but the problem 

> is that the value is converted to an unsigned value without 

> checking it first.  A malicious (or corrupted) file can set


> the string that stores the length to -1, which gets converted 

> to 0xFFFFFFFF (when it's converted to an unsigned value). 


> Since no checking is done on this size, the library will 

> allocate a buffer of that size and try to read the data into 

> it.  The fix is to also store the signed value when calling


> atoi, and check that for invalid results (make sure the size 

> stored is an appropriate size, which should just be > 0).

> 

>  

> 

> I have attached the DIFF for a possible fix which I will 

> submit a CR for later.  I wanted to know what branches it 

> needs to be checked into, though.  I am working off a local


> branch, but I know this error is still present in the HEAD 

> branch, as well as cay150.  Are there any other branches that


>; this will need to be checked into?

>; 

>  

> 

> Thanks,

> 

>  

> 

> Todd Zupan

>; 

> RealNetworks

> 

> 




_______________________________________________

Datatype-dev mailing list

Datatype-devhelixcommunity.org


http://lists.helixcommunity.org/mailman/listinfo/datatype-dev


  

  
  
   
     
    






 [1]











   
 





about | contact  Other archives ( Real Estate discussion Medical topics )