### CAN-2003-0577 diff -urN mpg123.old/common.c mpg123/common.c --- mpg123.old/common.c 2001-05-16 09:56:56.000000000 -0700 +++ mpg123/common.c 2003-09-30 00:31:24.000000000 -0700 @@ -127,7 +127,7 @@ return FALSE; if(!((head>>17)&3)) return FALSE; - if( ((head>>12)&0xf) == 0xf) + if( ((head>>12)&0xf) == 0xf || ((head>>12)&0xf) == 0) return FALSE; if( ((head>>10)&0x3) == 0x3 ) return FALSE; @@ -140,7 +140,7 @@ * -1: giving up * 1: synched */ -#define MAX_INPUT_FRAMESIZE 1920 +#define MAX_INPUT_FRAMESIZE 4096 #define SYNC_HEAD_MASK 0xffff0000 #define SYNC_HEAD_MASK_FF 0x0000f000 #define LOOK_AHEAD_NUM 3 @@ -579,7 +579,11 @@ fprintf(stderr,"Sorry, unknown layer type.\n"); return (0); } - + if (fr->framesize>MAX_INPUT_FRAMESIZE) { + fprintf(stderr,"Frame size too big.\n"); + fr->framesize = MAX_INPUT_FRAMESIZE; + return 0; + } if(!fr->bitrate_index) { /* fprintf(stderr,"Warning, Free format not heavily tested: (head %08lx)\n",newhead); */ fr->framesize = 0; ### CAN-2003-0865 diff -Nru mpg123.orig/httpget.c mpg123/httpget.c --- mpg123.orig/httpget.c 2006-06-16 08:04:50.000000000 +0200 +++ mpg123/httpget.c 2006-06-16 08:05:14.000000000 +0200 @@ -55,7 +55,7 @@ #endif int pos = 0; - while(1) { + while(maxlen>pos) { if( read(fileno(f),string+pos,1) == 1) { pos++; if(string[pos-1] == '\n') { ### CAN-2004-0805 --- mpg123/layer2.c.orig 2004-09-14 17:15:48.000000000 -0400 +++ mpg123/layer2.c 2004-09-14 17:18:49.000000000 -0400 @@ -287,6 +287,12 @@ fr->jsbound = (fr->mode == MPG_MD_JOINT_STEREO) ? (fr->mode_ext<<2)+4 : fr->II_sblimit; + /* security fix. */ + if (fr->jsbound > fr->II_sblimit) { + fprintf(stderr, "Truncating stereo boundary to sideband limit.\n"); + fr->jsbound=fr->II_sblimit; + } + if(stereo == 1 || single == 3) single = 0; ### CAN-2004-0982 --- mpg123-orig/httpget.c 2000-10-30 18:45:12.000000000 +0100 +++ mpg123-myfix/httpget.c 2006-05-22 02:45:59.000000000 +0200 @@ -3,6 +3,11 @@ * * Oliver Fromme * Wed Apr 9 20:57:47 MET DST 1997 + * + * Modified by Jeremy Huddleston 2004.10.21 per + * http://bugs.gentoo.org/show_bug.cgi?id=68343 + * http://www.barrossecurity.com/advisories/mpg123_getauthfromurl_bof_advisory.txt + * */ #undef ALSA @@ -221,12 +226,12 @@ unsigned char *proxyport; #define ACCEPT_HEAD "Accept: audio/mpeg, audio/x-mpegurl, */*\r\n" char *httpauth = NULL; -char httpauth1[256]; +char *httpauth1 = NULL; int http_open (char *url) { char *purl, *host, *request, *sptr; - int linelength; + unsigned int linelength, linelengthbase, purl_length; unsigned long myip; unsigned char *myport; int sock; @@ -270,53 +275,80 @@ int http_open (char *url) exit(1); } - - if ((linelength = strlen(url)+200) < 1024) - linelength = 1024; - if (!(request = malloc(linelength)) || !(purl = malloc(1024))) { + /* + * The length of purl is upper bound by 3*strlen(url) + 1 if everything + * in it is a space. For HTTP redirections, we need something longer; + * 1024 bytes were arbitrarily chosen. + */ + purl_length = strlen(url) * 3 + 1; + if (purl_length < 1024) purl_length = 1024; + purl = (char *)malloc(sizeof(char) * purl_length); + if (!purl) { fprintf (stderr, "malloc() failed, out of memory.\n"); exit (1); } - /* - * 2000-10-21: - * We would like spaces to be automatically converted to %20's when - * fetching via HTTP. - * -- Martin Sjögren - */ - if ((sptr = strchr(url, ' ')) == NULL) { - strncpy (purl, url, 1023); - purl[1023] = '\0'; - } - else { - int purllength = 0; - char *urlptr = url; - purl[0] = '\0'; - do { - purllength += sptr-urlptr + 3; - if (purllength >= 1023) - break; - strncat (purl, urlptr, sptr-urlptr); - //purl[sptr-url] = '\0'; - strcat (purl, "%20"); - urlptr = sptr + 1; - } - while ((sptr = strchr (urlptr, ' ')) != NULL); - strcat (purl, urlptr); - } + /* + * 2000-10-21: + * We would like spaces to be automatically converted to %20's when + * fetching via HTTP. + * -- Martin Sjögren + */ + if ((sptr = strchr(url, ' ')) == NULL) { + strcpy (purl, url); + } else { + char *urlptr = url; + purl[0] = '\0'; + do { + strncat (purl, urlptr, sptr - urlptr); + strcat (purl, "%20"); + urlptr = sptr + 1; + } + while ((sptr = strchr (urlptr, ' ')) != NULL); + strcat (purl, urlptr); + } + + httpauth1 = (char *)malloc((strlen(purl) + 1) * sizeof(char)); + if(!httpauth1) { + fprintf(stderr, "malloc() failed, out of memory.\n"); + exit(1); + } + getauthfromURL(purl,httpauth1); + + /* "GET http://" + 11 + * " HTTP/1.0\r\nUser-Agent: /\r\n" 26 + prgName + prgVersion + * ACCEPT_HEAD strlen(ACCEPT_HEAD) + * "Authorization: Basic \r\n" 23 + * "\r\n" 2 + */ + linelengthbase = 62 + strlen(prgName) + strlen(prgVersion) + strlen(ACCEPT_HEAD); + + if(httpauth) + linelengthbase += (strlen(httpauth) + 1) * 4; - getauthfromURL(purl,httpauth1); + if(httpauth1) + linelengthbase += (strlen(httpauth1) + 1) * 4; do { - strcpy (request, "GET "); if (proxyip != INADDR_NONE) { - if (strncasecmp(url, "http://", 7) != 0 && strncasecmp(url,"ftp://", 6) != 0) - strcat (request, "http://"); - strcat (request, purl); myport = proxyport; myip = proxyip; - } - else { + + linelength = linelengthbase + strlen(purl); + if(host) + linelength += 9 + strlen(host) + strlen(myport); /* "Host: :\r\n" */ + + request = (char *)malloc((linelength + 1) * sizeof(char)); + if (!request) { + fprintf (stderr, "malloc() failed, out of memory.\n"); + exit (1); + } + + strcpy (request, "GET "); + if (strncasecmp(url, "http://", 7) != 0 && strncasecmp(url,"ftp://", 6) != 0) + strcat (request, "http://"); + strcat (request, purl); + } else { if (host) { free(host); host=NULL; @@ -325,19 +357,30 @@ int http_open (char *url) free(proxyport); proxyport=NULL; } - if (!(sptr = url2hostport(purl, &host, &myip, &myport))) { - fprintf (stderr, "Unknown host \"%s\".\n", - host ? host : ""); + + sptr = url2hostport(purl, &host, &myip, &myport); + if (!sptr) { + fprintf (stderr, "Unknown host \"%s\".\n", host ? host : ""); + exit (1); + } + + linelength = linelengthbase + strlen(sptr); + if(host) + linelength += 9 + strlen(host) + strlen(myport); /* "Host: :\r\n" */ + + request = (char *)malloc((linelength + 1) * sizeof(char)); + if (!request) { + fprintf (stderr, "malloc() failed, out of memory.\n"); exit (1); } + + strcpy (request, "GET "); strcat (request, sptr); } - sprintf (request + strlen(request), - " HTTP/1.0\r\nUser-Agent: %s/%s\r\n", - prgName, prgVersion); + + sprintf (request + strlen(request), " HTTP/1.0\r\nUser-Agent: %s/%s\r\n", prgName, prgVersion); if (host) { - sprintf(request + strlen(request), - "Host: %s:%s\r\n", host, myport); + sprintf(request + strlen(request), "Host: %s:%s\r\n", host, myport); #if 0 free (host); #endif @@ -394,15 +437,29 @@ fail: exit(1); } - if (strlen(httpauth1) || httpauth) { - char buf[1023]; + if (httpauth1 || httpauth) { + char *buf; strcat (request,"Authorization: Basic "); - if(strlen(httpauth1)) - encode64(httpauth1,buf); - else - encode64(httpauth,buf); - strcat (request,buf); + if(httpauth1) { + buf=(char *)malloc((strlen(httpauth1) + 1) * 4 * sizeof(char)); + if(!buf) { + fprintf(stderr, "Error allocating sufficient memory for http authentication. Exiting."); + exit(1); + } + encode64(httpauth1,buf); + free(httpauth1); + } else { + buf=(char *)malloc((strlen(httpauth) + 1) * 4 * sizeof(char)); + if(!buf) { + fprintf(stderr, "Error allocating sufficient memory for http authentication. Exiting."); + exit(1); + } + encode64(httpauth,buf); + } + + strcat (request, buf); strcat (request,"\r\n"); + free(buf); } strcat (request, "\r\n"); @@ -428,16 +485,19 @@ fail: } do { readstring (request, linelength-1, myfile); - if (!strncmp(request, "Location:", 9)) - strncpy (purl, request+10, 1023); + if (!strncmp(request, "Location:", 9)) { + strncpy (purl, request+10, purl_length); + purl[purl_length - 1] = 0; + } } while (request[0] != '\r' && request[0] != '\n'); + + free(request); } while (relocate && purl[0] && numrelocs++ < 5); if (relocate) { fprintf (stderr, "Too many HTTP relocations.\n"); exit (1); } - free (purl); - free (request); + free(purl); free(host); free(proxyport); free(myport); ### CAN-2004-0991 diff -Naurp mpg123-0.59s.vanilla/layer2.c mpg123/layer2.c --- mpg123-0.59s.vanilla/layer2.c 2004-12-18 17:53:59.256803488 -0800 +++ mpg123/layer2.c 2005-01-06 01:28:56.389304770 -0800 @@ -262,7 +262,7 @@ static void II_select_table(struct frame { alloc_0, alloc_1, alloc_2, alloc_3 , alloc_4 }; static int sblims[5] = { 27 , 30 , 8, 12 , 30 }; - if(fr->lsf) + if(fr->sampling_frequency >= 3) /* Or equivalent: (fr->lsf == 1) */ table = 4; else table = translate[fr->sampling_frequency][2-fr->stereo][fr->bitrate_index]; ### CAN-2004-1284 diff -Naur mpg123-0.59s.vanilla/playlist.c mpg123/playlist.c --- mpg123-0.59s.vanilla/playlist.c 2000-10-25 04:05:26.000000000 -0700 +++ mpg123/playlist.c 2004-12-18 17:53:34.337908223 -0800 @@ -110,9 +110,9 @@ if ((playlist->listnamedir) && (line[0]!='/') && (line[0]!='\\') && (strncasecmp(line, "http://", 7)) && (strncasecmp(line, "ftp://",6)) ){ - strcpy (linetmp, playlist->listnamedir); - strcat (linetmp, line); - strcpy (line, linetmp); + strncpy (linetmp, playlist->listnamedir, 1023); + strncat (linetmp, line, 1023 - strlen(linetmp)); + strncpy (line, linetmp, 1023); } return 1; }