Bug#677148: mpg123_getformat() hangs in endless loop
Max Kellermann
max at duempel.org
Mon Jun 11 21:27:45 UTC 2012
Package: libmpg123-0
Version: 1.14.2-1
Severity: important
On (broken?) MP3 files, mpg123_getformat() hangs in an I/O loop that
reads one byte at a time, seeks back 64 kB, and repeats practically
forever. Example strace:
[...]
read(4, "\277", 1) = 1
read(4, "Y", 1) = 1
read(4, "\36", 1) = 1
read(4, "\v", 1) = 1
lseek(4, -65536, SEEK_CUR) = 19013
read(4, "\277", 1) = 1
read(4, "Y", 1) = 1
read(4, "\36", 1) = 1
read(4, "\v", 1) = 1
read(4, "\"", 1) = 1
read(4, "`", 1) = 1
[...]
MPD backtrace (there's no -dbg package):
#0 0x00007f843b9c218d in read () at ../sysdeps/unix/syscall-template.S:82
#1 0x00007f843fa89d9e in ?? () from /usr/lib/x86_64-linux-gnu/libmpg123.so.0
#2 0x00007f843fa89e6c in ?? () from /usr/lib/x86_64-linux-gnu/libmpg123.so.0
#3 0x00007f843fa7d9f3 in ?? () from /usr/lib/x86_64-linux-gnu/libmpg123.so.0
#4 0x00007f843fa7e0e1 in ?? () from /usr/lib/x86_64-linux-gnu/libmpg123.so.0
#5 0x00007f843fa8eafa in ?? () from /usr/lib/x86_64-linux-gnu/libmpg123.so.0
#6 0x00007f843fa8f1ec in mpg123_getformat () from /usr/lib/x86_64-linux-gnu/libmpg123.so.0
#7 0x0000000000432444 in mpd_mpg123_open (handle=handle at entry=0x1629270,
This causes the Music Player Daemon (when built with libmpg123) to go
in an endless busy loop upon starting playback, and becomes
irresponsive as soon as a client ask MPD to change playback. Severity
"important" (or more) because this bug is a remote DoS vulnerability
for MPD.
Due to copyright issues, I will provide a sample file demonstrating
the problem via private email only.
More information about the pkg-multimedia-maintainers
mailing list