Opened 6 years ago

Closed 6 years ago

#9501 closed enhancement (fixed)


Reported by: bdubbs@… Owned by: bdubbs@…
Priority: normal Milestone: 8.1
Component: BOOK Version: SVN
Severity: normal Keywords:


New point version.

Change History (3)

comment:1 by bdubbs@…, 6 years ago

Owner: changed from blfs-book@… to bdubbs@…
Status: newassigned

comment:2 by bdubbs@…, 6 years ago



  • Better checks for xrpnt overflow in III_dequantize_sample() before each use, avoiding false positives and catching cases that were rendered harmless by alignment-enlarged buffers.


  • libmpg123:
    • Extend pow tables for layer III to properly handle files with i-stereo and 5-bit scalefactors. Never observed them for real, just as fuzzed input to trigger the read overflow. Note: This one goes on record as CVE-2017-11126, calling remote denial of service. While the accesses are out of bounds for the pow tables, they still are safely within libmpg123's memory (other static tables). Just wrong values are used for computation, no actual crash unless you use something like GCC's AddressSanitizer, nor any information disclosure.
  • Avoid left-shifts of negative integers in layer I decoding.

1.25.1: Hot Fuzz


  • Avoid memset(NULL, 0, 0) to calm down the paranoid.
  • Fix bug 252, invalid read of size 1 in ID3v2 parser due to forgotten offset from the frame flag bytes (unnoticed in practice for a long time). Fuzzers are in the house again. This one got CVE-2017-10683.
  • Avoid a mostly harmless conditional jump depending on uninitialised fr->lay in compute_bpf() (mpg123_position()) when track is not ready yet.
  • Fix undefined shifts on signed long mask in layer3.c (worked in practice, never right in theory). Code might be a bit faster now, even. Thanks to Agostino Sarubbo for reporting.

comment:3 by bdubbs@…, 6 years ago

Resolution: fixed
Status: assignedclosed

Fixed at revision 18966.

Note: See TracTickets for help on using tickets.