Ubuntu
id3lib3.8.3 package

libid3 crashes (stack smashing) when reading VBR MP3 file

Bug #444466 reported by Urs Fleisch
26
This bug affects 3 people
Affects Status Importance Assigned to Milestone
id3lib3.8.3 (Ubuntu)
Fix Released
Medium
Christian Mangold

Bug Description

libid3-3.8.3 crashes when reading an MP3 file with variable bitrate (VBR).

Reproduction:
lame -v /usr/share/sounds/alsa/Noise.wav vbr.mp3
id3info vbr.mp3
*** stack smashing detected ***: id3info terminated
======= Backtrace: =========
/lib/tls/i686/cmov/libc.so.6(__fortify_fail+0x48)[0xc56de8]
/lib/tls/i686/cmov/libc.so.6(__fortify_fail+0x0)[0xc56da0]
/usr/lib/libid3-3.8.so.3[0xecad54]
/usr/lib/libid3-3.8.so.3(_ZN7Mp3Info5ParseER10ID3_Readerj+0x8f5)[0xebea05]
/usr/lib/libid3-3.8.so.3(_ZN11ID3_TagImpl11ParseReaderER10ID3_Reader+0x42b)[0xec40fb]
/usr/lib/libid3-3.8.so.3(_ZN11ID3_TagImpl9ParseFileEv+0x195)[0xec47e5]
/usr/lib/libid3-3.8.so.3(_ZN11ID3_TagImpl4LinkEPKct+0x54)[0xec00d4]
/usr/lib/libid3-3.8.so.3(_ZN7ID3_Tag4LinkEPKct+0x2f)[0xebf26f]
id3info[0x804aeb6]
/lib/tls/i686/cmov/libc.so.6(__libc_start_main+0xe6)[0xb8cb56]
id3info[0x8049601]

The same happens with other applications using libid3 (e.g. Kid3).

Patch to fix the buffer overflow:
----
diff -ru id3lib3.8.3-3.8.3.orig/src/mp3_parse.cpp id3lib3.8.3-3.8.3/src/mp3_parse.cpp
--- id3lib3.8.3-3.8.3.orig/src/mp3_parse.cpp 2003-03-02 01:23:00.000000000 +0100
+++ id3lib3.8.3-3.8.3/src/mp3_parse.cpp 2009-10-06 11:45:37.897681290 +0200
@@ -465,7 +465,7 @@
   // from http://www.xingtech.com/developer/mp3/

   const size_t VBR_HEADER_MIN_SIZE = 8; // "xing" + flags are fixed
- const size_t VBR_HEADER_MAX_SIZE = 116; // frames, bytes, toc and scale are optional
+ const size_t VBR_HEADER_MAX_SIZE = 120; // frames, bytes, toc and scale are optional

   if (mp3size >= vbr_header_offest + VBR_HEADER_MIN_SIZE)
   {
----

Description of bug:
with VBR_HEADER_MAX_SIZE = 116, the buffer
char vbrheaderdata[VBR_HEADER_MAX_SIZE+1]
is too small, below it is used with the following variable:
      int vbr_header_size = VBR_HEADER_MIN_SIZE
                           + ((vbr_flags & FRAMES_FLAG)? 4:0)
                           + ((vbr_flags & BYTES_FLAG)? 4:0)
                           + ((vbr_flags & TOC_FLAG)? 100:0)
                           + ((vbr_flags & SCALE_FLAG)? 4:0);
which is 120 in the maximum case. So the patch fixes it to 120 instead of 116 bytes.

This will also fix bug 425319 (https://bugs.launchpad.net/ubuntu/+source/kid3/+bug/425319), which is not really a bug of Kid3.

ProblemType: Crash
Architecture: i386
AssertionMessage: *** stack smashing detected ***: id3info terminated
Date: Tue Oct 6 12:44:08 2009
DistroRelease: Ubuntu 9.10
ExecutablePath: /usr/bin/id3info
Package: libid3-3.8.3-dev 3.8.3-7.2ubuntu1
ProcCmdline: id3info vbr.mp3
ProcEnviron:
 SHELL=/bin/bash
 LANG=en_US.UTF-8
ProcVersionSignature: Ubuntu 2.6.31-11.38-generic
Signal: 6
SourcePackage: id3lib3.8.3
StacktraceTop:
 __kernel_vsyscall ()
 *__GI_raise (sig=6)
 *__GI_abort () at abort.c:92
 __libc_message (do_abort=2,
 *__GI___fortify_fail (
Title: id3info assert failure: *** stack smashing detected ***: id3info terminated
Uname: Linux 2.6.31-11-generic i686
UserGroups: adm admin cdrom dialout lpadmin plugdev pulse-access sambashare

Revision history for this message
Urs Fleisch (ufleisch) wrote :
visibility: private → public
Revision history for this message
Apport retracing service (apport) wrote : Stacktrace.txt (retraced)

StacktraceTop:__kernel_vsyscall ()
*__GI_raise (sig=6)
*__GI_abort () at abort.c:92
__libc_message (do_abort=2,
*__GI___fortify_fail (

Revision history for this message
Apport retracing service (apport) wrote : ThreadStacktrace.txt (retraced)
Changed in id3lib3.8.3 (Ubuntu):
importance: Undecided → Medium
tags: removed: need-i386-retrace
Jonathan Thomas (echidnaman)
Changed in id3lib3.8.3 (Ubuntu):
status: New → Confirmed
Christian Mangold (neversfelde)
Changed in id3lib3.8.3 (Ubuntu):
assignee: nobody → Christian Mangold (neversfelde)
Revision history for this message
Christian Mangold (neversfelde) wrote :

id3lib3.8.3 (3.8.3-7.2ubuntu2) karmic; urgency=low

  * Add patch fix_vbr_stack_smash.diff, thanks to Urs Fleisch (LP: #444466)
    - Add build-dep on quilt
    - Add quilt to debian/rules

 -- Christian Mangold <email address hidden> Tue, 06 Oct 2009 23:14:45 +0200

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package id3lib3.8.3 - 3.8.3-7.2ubuntu2

---------------
id3lib3.8.3 (3.8.3-7.2ubuntu2) karmic; urgency=low

  * Add patch fix_vbr_stack_smash.diff, thanks to Urs Fleisch (LP: #444466)
    - Add build-dep on quilt
    - Add quilt to debian/rules

 -- Christian Mangold <email address hidden> Tue, 06 Oct 2009 23:14:45 +0200

Changed in id3lib3.8.3 (Ubuntu):
status: Confirmed → Fix Released
Revision history for this message
Martin Pitt (pitti) wrote :

Can you please forward this upstream as well?

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.