libming: listmp3: divide-by-zero in printMP3Headers (listmp3.c)

Description:
libming is a Flash (SWF) output library. It can be used from PHP, Perl, Ruby, Python, C, C++, Java, and probably more on the way..

A fuzzing revealed a divide by zero in listmp3. The bug does not reside in any shared object but if you have a web application that calls directly the listmp3 binary to parse untrusted mp3, then you are affected.

The complete ASan output:

# listmp3 $FILE
ASAN:DEADLYSIGNAL
=================================================================
==29561==ERROR: AddressSanitizer: FPE on unknown address 0x0000004f19e8 (pc 0x0000004f19e8 bp 0x000000000000 sp 0x7ffdf0ab6340 T0)
    #0 0x4f19e7 in printMP3Headers /var/tmp/portage/media-libs/ming-0.4.7/work/ming-0_4_7/util/listmp3.c:172:54
    #1 0x4f1bee in main /var/tmp/portage/media-libs/ming-0.4.7/work/ming-0_4_7/util/listmp3.c:191:3
    #2 0x7f49407a361f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289
    #3 0x418ae8 in getenv (/usr/bin/listmp3+0x418ae8)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: FPE /var/tmp/portage/media-libs/ming-0.4.7/work/ming-0_4_7/util/listmp3.c:172:54 in printMP3Headers
==29561==ABORTING

Affected version:
0.4.7

Fixed version:
0.4.8

Commit fix:
https://github.com/libming/libming/commit/b0704f80ef2ec1507043df77d6519d18cf017e16

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

CVE:
CVE-2016-9265

Reproducer:
https://github.com/asarubbo/poc/blob/master/00045-libming-fpe-printMP3Headers

Timeline:
2016-08-13: bug discovered
2016-10-20: bug reported to upstream
2016-11-09: blog post about the issue
2016-11-10: CVE assigned
2017-01-30: upstream released a patch
2017-04-07: upstream released 0.4.8

Note:
This bug was found with American Fuzzy Lop.

Permalink:

libming: listmp3: divide-by-zero in printMP3Headers (listmp3.c)

This entry was posted in advisories, security. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.