Out-of-bounds Read (Buffer Under-read) in plm_audio_decode_frame due to insufficient validation #68
Description
Description
There is an out-of-bounds read vulnerability in plm_audio_decode_frame (line ~4076) when parsing malformed MPEG1 Audio Layer II frames.
The issue is due to bitrate_index not being checked against negative values after decrementation.
In pl_mpeg.h:
int bitrate_index = plm_buffer_read(self->buffer, 4) - 1;
if (bitrate_index > 13) { // Upper bound checked
return 0;
}
// Lower bound (bitrate_index < 0) is NOT checked.If the read value is 0, bitrate_index becomes -1. This invalid index is later used to access PLM_AUDIO_BIT_RATE:
int bitrate = PLM_AUDIO_BIT_RATE[self->bitrate_index]; // OOB Read [-1]Reproduction
This can be reproduced with a minimal 43-byte input file.
Crash file (hex):
000001ba2265616465010000000001bbffff0200405000000001c0000900ff00ffff00fffd001fd3000000
Steps:
- Create the file:
echo "..." | xxd -r -p > crash.mpg - Compile a simple harness with ASAN/UBSan (calling
plm_create_with_memory+plm_decode_audio). - Run:
./poc crash.mpg
Output:
pl_mpeg.h:4076:16: runtime error: index -1 out of bounds for type 'const short[28]'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior pl_mpeg.h:4076:16
Suggested Fix
Add a lower bound check in plm_audio_decode_header:
if (bitrate_index < 0 || bitrate_index > 13) {
return 0;
}