[mad-dev] Initite loop bug in libid3tag-0.15.0b

Kentaro Oda odaken at gmail.com
Sat Jan 12 23:17:36 PST 2008


Hi, for the maintainer libid3tag.

I found an infinite loop bug in libid3tag-0.15.0b library, which
causes memory overflow.

The problem occurs when parsing an ID3_FIELD_TYPE_STRINGLIST field,
specifically when data to be parsed is ended with '\0'.
In this case, **ptr == 0, but the condition end - *ptr is 1 so loop
continues infinitely.


*** field.c	2003-04-19 09:14:33.000000000 +0900
--- field-patched.c	2008-01-13 16:08:22.000000000 +0900
***************
*** 291,297 ****

        end = *ptr + length;

!       while (end - *ptr > 0) {
  	ucs4 = id3_parse_string(ptr, end - *ptr, *encoding, 0);
  	if (ucs4 == 0)
  	  goto fail;
--- 291,297 ----

        end = *ptr + length;

!       while (end - *ptr > 0 && **ptr != '\0') {
  	ucs4 = id3_parse_string(ptr, end - *ptr, *encoding, 0);
  	if (ucs4 == 0)
  	  goto fail;


-- 
Kentaro Oda


More information about the mad-dev mailing list