Package: libmpg123-0 Version: 1.14.2-1 Severity: important On (broken?) MP3 files, mpg123_getformat() hangs in an I/O loop that reads one byte at a time, seeks back 64 kB, and repeats practically forever. Example strace:
[...] read(4, "\277", 1) = 1 read(4, "Y", 1) = 1 read(4, "\36", 1) = 1 read(4, "\v", 1) = 1 lseek(4, -65536, SEEK_CUR) = 19013 read(4, "\277", 1) = 1 read(4, "Y", 1) = 1 read(4, "\36", 1) = 1 read(4, "\v", 1) = 1 read(4, "\"", 1) = 1 read(4, "`", 1) = 1 [...] MPD backtrace (there's no -dbg package): #0 0x00007f843b9c218d in read () at ../sysdeps/unix/syscall-template.S:82 #1 0x00007f843fa89d9e in ?? () from /usr/lib/x86_64-linux-gnu/libmpg123.so.0 #2 0x00007f843fa89e6c in ?? () from /usr/lib/x86_64-linux-gnu/libmpg123.so.0 #3 0x00007f843fa7d9f3 in ?? () from /usr/lib/x86_64-linux-gnu/libmpg123.so.0 #4 0x00007f843fa7e0e1 in ?? () from /usr/lib/x86_64-linux-gnu/libmpg123.so.0 #5 0x00007f843fa8eafa in ?? () from /usr/lib/x86_64-linux-gnu/libmpg123.so.0 #6 0x00007f843fa8f1ec in mpg123_getformat () from /usr/lib/x86_64-linux-gnu/libmpg123.so.0 #7 0x0000000000432444 in mpd_mpg123_open (handle=handle@entry=0x1629270, This causes the Music Player Daemon (when built with libmpg123) to go in an endless busy loop upon starting playback, and becomes irresponsive as soon as a client ask MPD to change playback. Severity "important" (or more) because this bug is a remote DoS vulnerability for MPD. Due to copyright issues, I will provide a sample file demonstrating the problem via private email only. _______________________________________________ pkg-multimedia-maintainers mailing list pkg-multimedia-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers
