Array overflow in id3lib (devel CVS)

2007-12-2000:00:00

vulners.com

JSON

#######################################################################

                         Luigi Auriemma

Application: id3lib
http://id3lib.sourceforge.net
Versions: only devel (CVS)
stable (3.8.3) is NOT affected
Platforms: Windows, *nix and Mac
Bug: array overflow
Exploitation: local
Date: 19 Dec 2007
Author: Luigi Auriemma
e-mail: [email protected]
web: aluigi.org

#######################################################################

1) Introduction
2) Bug
3) The Code
4) Fix

#######################################################################

===============
1) Introduction

id3lib is a well known and used library for handling the ID3 tags in
the audio files.

Actually the library is divided in two branches: stable (3.8.3 released
in the far 2003) and devel (the current CVS).
Although the vulnerable instructions are located in both the versions
only the devel is exploitable because the ID3v2 4.0 tags are not
supported in the stable (watch ID3V2_LATEST in globals.h).

#######################################################################

======
2) Bug

The problem is in the extflags array (a pointer to array) which has a
size of only one element while the extflagbytes can support from 0 to
255 elements.
So, using a extflagbytes of 0 will be caused a crash since the
subsequent instructions consider extflags[0] initialized while using
higher values is possible to overflow this small array.

From header_tag.cpp:

void ID3_TagHeader::ParseExtended(ID3_Reader& reader)
…
const int extflagbytes = reader.readChar(); //Number of flag bytes
ID3_Flags* extflags[1]; // ID3V2_4_0 has 1 flag byte, extflagbytes
should be equal to 1 for (i = 0; i < extflagbytes; ++i)
{
extflags[i] = new ID3_Flags;
extflags[i]->set(reader.readChar()); //flags
}

I have many doubts about the real exploitation of this overflow for
executing malicious code, but I can't exclude it at all.

#######################################################################