gypified / libmpg123 Goto Github PK

In the lame label check function, we first consider the mono and stereo value based on the input of two fixed values, which lame offset is equal to 32. Based on lsf

    off_t track_frames;
    off_t track_samples;
    double mean_framesize;
    off_t mean_frames;
    int fsizeold;
    int ssize;
    unsigned int bitreservoir;
    unsigned char bsspace[2][MAXFRAMESIZE+512]; /* MAXFRAMESIZE */
    unsigned char *bsbuf;
    unsigned char *bsbufold;
    int bsnum;

to handle by these function code the xing header must be 120 byte

• if(fr->framesize >= 120+lame_offset)

After that here as you can see fr->bsbuf[i] all of them can be controlled by the attacker without any restrictions and they will check and search it.

 for(i=2; i < lame_offset; ++i) if(fr->bsbuf[i] != 0) break;

            (
                       (fr->bsbuf[lame_offset] == 'I')
                && (fr->bsbuf[lame_offset+1] == 'n')
                && (fr->bsbuf[lame_offset+2] == 'f')
                && (fr->bsbuf[lame_offset+3] == 'o')
            )

The problem is that the value of bsbuf can be determined by the attacker and can change according to the input. If the value of bsbuf is 32 for example, +3 is returned when it was served in the last lookup. An out-of-range read may occur. This scenario can be implemented by sending a format file or communication based on voice in the form of an exploit code for the frame. NOTE:id3 structure

I created an mp3 file named test.mp3 by streaming curl output (webradio)
I stop creating the test.mp3 file after 10 seconds.
Then
I read the file test.mp3 with (mpg123 -vt test.mp3) sees OUTPUT

OUTPUT CURL

curl http://stream.c9.fr/c9.mp3 > test.mp3
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 283k 0 283k 0 0 28056 0 --:--:-- 0:00:10 --:--:-- 23893^C

OUTPUT mpg123

./mpg123 -vt test.mp3
High Performance MPEG 1.0/2.0/2.5 Audio Player for Layers 1, 2 and 3
version 1.25.10; written and copyright by Michael Hipp and others
free software (LGPL) without any warranty but with best wishes
Decoder: x86-64 (SSE)
Trying output module: test, device:

Terminal control enabled, press 'h' for listing of keys and functions.

Playing MPEG stream 1 of 1: test.mp3 ...

MPEG 1.0 L III cbr192 44100 j-s

456+000 00:11.91+00:00.00 --- 100=100 192 kb/s 627 B acc 0 clip p+0.000
[0:11] Decoding of test.mp3 finished.

Until no problem the file (test.mp3) is read without problem.

When I add the parameter to curl -H "Icy-MetaData: 1" it means add in the stream the stream (webradio) the metadata like (StreamTitle) the whole thing is generated in a file at the output (file test.mp3 ) see OUTPUT example:

curl -H "Icy-MetaData:1" -v http://stream.c9.fr/c9.mp3 > test.mp3
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0* Trying 66.70.200.63...

• TCP_NODELAY set
  0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0* Connected to stream.c9.fr (66.70.200.63) port 80 (#0)

GET /c9.mp3 HTTP/1.1
Host: stream.c9.fr
User-Agent: curl/7.64.1
Accept: /
Icy-MetaData:1

• HTTP 1.0, assume close after body
  < HTTP/1.0 200 OK
  < Server: Icecast 2.4.2
  < Date: Sat, 11 May 2019 11:28:26 GMT
  < Content-Type: audio/mpeg
  < Cache-Control: no-cache
  < Expires: Mon, 26 Jul 1997 05:00:00 GMT
  < Pragma: no-cache
  < Access-Control-Allow-Origin: *
  < icy-br:192
  < ice-audio-info: channels=2;samplerate=44100;bitrate=192
  < icy-description:C9 Radio - Only Hits! - c9.fr
  < icy-genre:Top40 Hits Club Pop Rock Urban
  < icy-name:C9 Radio - Only Hits! - c9.fr
  < icy-pub:1
  < icy-url:https://www.c9.fr/
  < icy-metaint:16000
  <
  { [1400 bytes data]
  100 254k 0 254k 0 0 28445 0 --:--:-- 0:00:09 --:--:-- 23993^C

What I can not understand is that reading with mpg123 the file test.mp3 is read with errors see OUTPUT mpg123

OUTPUT mpg123

mpg123 -vt test.mp3
High Performance MPEG 1.0/2.0/2.5 Audio Player for Layers 1, 2 and 3
version 1.14.4; written and copyright by Michael Hipp and others
free software (LGPL/GPL) without any warranty but with best wishes
Decoder: x86-64 (SSE)

Playing MPEG stream 1 of 1: test.mp3 ...

MPEG 1.0, Layer: III, Freq: 44100, mode: Joint-Stereo, modext: 2, BPF : 627
Channels: 2, copyright: No, original: Yes, CRC: No, emphasis: 0.
Bitrate: 192 kbit/s Extension value: 0
Frame# 24 [ 386], Time: 00:00.62 [00:10.08], RVA: off, Vol: 100(100)Note: Illegal Audio-MPEG-Header 0x69746c65 at offset 16008.
Note: Trying to resync...
Note: Skipped 65 bytes in input.
Frame# 48 [ 361], Time: 00:01.25 [00:09.43], RVA: off, Vol: 100(100)Note: Illegal Audio-MPEG-Header 0xeafffbb2 at offset 32373.
Note: Trying to resync...
Note: Skipped 1 bytes in input.
Frame# 72 [ 337], Time: 00:01.88 [00:08.80], RVA: off, Vol: 100(100)[layer3.c:454] error: big_values too large!
[layer3.c:454] error: big_values too large!
Note: Illegal Audio-MPEG-Header 0x9ffffbb2 at offset 48674.
Note: Trying to resync...
Note: Skipped 1 bytes in input.
Frame# 96 [ 313], Time: 00:02.50 [00:08.17], RVA: off, Vol: 100(100)Note: Illegal Audio-MPEG-Header 0xe9fffbb2 at offset 64349.
Note: Trying to resync...
Note: Skipped 1 bytes in input.
Frame# 120 [ 289], Time: 00:03.13 [00:07.54], RVA: off, Vol: 100(100)Note: Illegal Audio-MPEG-Header 0x79fffbb2 at offset 80650.
Note: Trying to resync...
Note: Skipped 1 bytes in input.
Frame# 152 [ 257], Time: 00:03.97 [00:06.71], RVA: off, Vol: 100(100)Note: Illegal Audio-MPEG-Header 0x0ffffbb2 at offset 96325.
Note: Trying to resync...
Note: Skipped 1 bytes in input.
Frame# 176 [ 233], Time: 00:04.59 [00:06.08], RVA: off, Vol: 100(100)Note: Illegal Audio-MPEG-Header 0x4dfffbb2 at offset 112626.
Note: Trying to resync...
Note: Skipped 1 bytes in input.
Frame# 200 [ 209], Time: 00:05.22 [00:05.45], RVA: off, Vol: 100(100)Note: Illegal Audio-MPEG-Header 0xb1fffbb2 at offset 128301.
Note: Trying to resync...
Note: Skipped 1 bytes in input.
Frame# 224 [ 185], Time: 00:05.85 [00:04.83], RVA: off, Vol: 100(100)Note: Illegal Audio-MPEG-Header 0x49fffbb2 at offset 144602.
Note: Trying to resync...
Note: Skipped 1 bytes in input.
Frame# 248 [ 161], Time: 00:06.47 [00:04.20], RVA: off, Vol: 100(100)Note: Illegal Audio-MPEG-Header 0x10fffbb0 at offset 160277.
Note: Trying to resync...
Note: Skipped 1 bytes in input.
Frame# 280 [ 129], Time: 00:07.31 [00:03.36], RVA: off, Vol: 100(100)Note: Illegal Audio-MPEG-Header 0x7ffffbb2 at offset 176578.
Note: Trying to resync...
Note: Skipped 1 bytes in input.
Frame# 304 [ 105], Time: 00:07.94 [00:02.74], RVA: off, Vol: 100(100)Note: Illegal Audio-MPEG-Header 0x41fffbb2 at offset 192252.
Note: Trying to resync...
Note: Skipped 1 bytes in input.
Frame# 328 [ 81], Time: 00:08.56 [00:02.11], RVA: off, Vol: 100(100)Note: Illegal Audio-MPEG-Header 0x88fffbb2 at offset 208554.
Note: Trying to resync...
Note: Skipped 1 bytes in input.
Frame# 352 [ 57], Time: 00:09.19 [00:01.48], RVA: off, Vol: 100(100)Note: Illegal Audio-MPEG-Header 0x41fffbb2 at offset 224228.
Note: Trying to resync...
Note: Skipped 1 bytes in input.
Frame# 376 [ 33], Time: 00:09.82 [00:00.86], RVA: off, Vol: 100(100)Note: Illegal Audio-MPEG-Header 0x0cfffbb2 at offset 240530.
Note: Trying to resync...
Note: Skipped 1 bytes in input.
Frame# 400 [ 9], Time: 00:10.44 [00:00.23], RVA: off, Vol: 100(100)Note: Illegal Audio-MPEG-Header 0x4dfffbb2 at offset 256204.
Note: Trying to resync...
Note: Skipped 1 bytes in input.
Frame# 409 [ 1], Time: 00:10.68 [00:00.02], RVA: off, Vol: 100(100)
[0:10] Decoding of test.mp3 finished.

if I put the option "Icy-MetaData: 1" I have the same problem with my streaming program of (webradio) the error and in function mpg123_decode_frame example:

err = mpg123_decode_frame(mh, &frame_offset, &audio, &done);

in the mpg123_feed function I do not have any example errors:

mpg123_feed(mh, (const unsigned char *) DataBufferMP3, Counternmemb);

is there not a way to with the option "Icy-MetaData: 1" to play the stream with (mpg123_decode_frame) without errors of messages:

Frame# 24 [ 386], Time: 00:00.62 [00:10.08], RVA: off, Vol: 100(100)Note: Illegal Audio-MPEG-Header 0x69746c65 at offset 16008.
Note: Trying to resync...
Note: Skipped 65 bytes in input.

to skip the metadata and read only mp3 streams.

thank you