Mpg123: buffer overflow when writing decoded pcm samples

An out-of-bounds write flaw was found in mpg123 when handling crafted streams. When decoding PCM, the libmpg123 may write past the end of a heap-located buffer. Consequently, heap corruption may happen, and arbitrary code execution is not discarded. The complexity required to exploit this flaw is considered high as the payload must be validated by the MPEG decoder and the PCM synth before execution. Additionally, to successfully execute the attack, the user must scan through the stream, making web live stream content (such as web radios) a very unlikely attack vector.

CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H

跨界内存写

mpg123 缓冲区错误漏洞

mpg123是Michael Hipp个人开发者的一款使用于Linux和Unix操作系统下的MPEG音频播放器和解码库。 mpg123 1.32.8之前版本存在缓冲区错误漏洞，该漏洞源于存在越界写入，可能会发生堆损坏和任意代码执行。

N/A

N/A