Bug#726068: mp3check: --cut-junk-end may segfault when the last frame is truncated

Fri, 11 Oct 2013 16:15:51 -0700 

Package: mp3check
Version: 0.8.7-1
Severity: normal
Tags: patch upstream

When the last audio frame is truncated, "mp3check --cut-junk-end" fails
to detect and get rid of it.

In the best case scenario, when the mp3 file has no id3 tag, the
corrupted frame is left as is.

In the worst case scenario, when the frame is followed by id3 tags, the
frame is considered as complete and the tags are restored beyond the end
of the memory-mapped file, which may cause a segmentation fault.

The attached patch aims to detect and eliminate any truncated last audio
frame when mp3check is called with the --cut-junk-end option.

Incidentally, this may also close bug #315497.

Xavier

-- System Information:
Debian Release: 7.0
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-54-generic (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL 
set to en_US.UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages mp3check depends on:
ii  libc6       2.13-38
ii  libgcc1     1:4.7.2-5
ii  libstdc++6  4.7.2-5

mp3check recommends no packages.

Versions of packages mp3check suggests:
pn  mpg321  <none>

-- no debconf information

Description: Fix to prevent segfaults when the last audio frame is truncated.
 When the last audio frame is truncated, "mp3check --cut-junk-end" fails to
 detect and get rid of it.
 .
 In the best case scenario, when the mp3 file has no id3 tag, the corrupted
 frame is left as is.
 .
 In the worst case scenario, when the frame is followed by id3 tags, the frame
 is considered as complete and the tags are restored beyond the end of the
 memory-mapped file, which may cause a segmentation fault.
 .
 This patch aims to detect and eliminate any truncated last audio frame when
 mp3check is called with the --cut-junk-end option.
Author: Xavier Hienne <xhie...@free.fr>
Bug-Ubuntu: https://launchpad.net/bugs/592766

---
Bug-Debian: http://bugs.debian.org/<bugnumber>

--- mp3check-0.8.7.orig/mp3check.cc
+++ mp3check-0.8.7/mp3check.cc
@@ -1069,6 +1069,7 @@ bool cut_junk_end(const char *name, cons
 		  cok, (tag->isValidSpecs()?"valid":"invalid"),
 		  (tag->version())>>8, (tag->version())&0xff, cnor);
 	       have_a_tag = true;
+	       rest-=128;
 	    }
 	    else
 	    {
@@ -1115,18 +1116,13 @@ bool cut_junk_end(const char *name, cons
 	    
 	    // skip to next frame
 	    l = frame_length(h);
+	    if (l > rest) break;
 	    p += l;
 	    rest -= l;
 	    start += l;
 	 }
       }
       
-      // in case we had found a tag
-      if((rest >= 128) && have_a_tag)
-      {
-      	rest-=128;
-      }
-      
       // remove incomplete last frames
       //if((rest < 0) && remove_truncated_last_frame)
       //{

Reply via email to