Brad Bishop | 96ff198 | 2019-08-19 13:50:42 -0400 | [diff] [blame^] | 1 | In case of an unknown/invalid encoding, id3_parse_string() will |
| 2 | return NULL, but the return value wasn't checked resulting |
| 3 | in segfault in id3_ucs4_length(). This is the only place |
| 4 | the return value wasn't checked. |
| 5 | |
| 6 | Patch taken from Debian: |
| 7 | https://sources.debian.org/patches/libid3tag/0.15.1b-14/11_unknown_encoding.dpatch/ |
| 8 | |
| 9 | CVE: CVE-2017-11550 |
| 10 | Upstream-Status: Pending |
| 11 | Signed-off-by: Ross Burton <ross.burton@intel.com> |
| 12 | |
| 13 | diff -urNad libid3tag-0.15.1b~/compat.gperf libid3tag-0.15.1b/compat.gperf |
| 14 | --- libid3tag-0.15.1b~/compat.gperf 2004-01-23 09:41:32.000000000 +0000 |
| 15 | +++ libid3tag-0.15.1b/compat.gperf 2007-01-14 14:36:53.000000000 +0000 |
| 16 | @@ -236,6 +236,10 @@ |
| 17 | |
| 18 | encoding = id3_parse_uint(&data, 1); |
| 19 | string = id3_parse_string(&data, end - data, encoding, 0); |
| 20 | + if (!string) |
| 21 | + { |
| 22 | + continue; |
| 23 | + } |
| 24 | |
| 25 | if (id3_ucs4_length(string) < 4) { |
| 26 | free(string); |
| 27 | diff -urNad libid3tag-0.15.1b~/parse.c libid3tag-0.15.1b/parse.c |
| 28 | --- libid3tag-0.15.1b~/parse.c 2004-01-23 09:41:32.000000000 +0000 |
| 29 | +++ libid3tag-0.15.1b/parse.c 2007-01-14 14:37:34.000000000 +0000 |
| 30 | @@ -165,6 +165,9 @@ |
| 31 | case ID3_FIELD_TEXTENCODING_UTF_8: |
| 32 | ucs4 = id3_utf8_deserialize(ptr, length); |
| 33 | break; |
| 34 | + default: |
| 35 | + /* FIXME: Unknown encoding! Print warning? */ |
| 36 | + return NULL; |
| 37 | } |
| 38 | |
| 39 | if (ucs4 && !full) { |