out of bounds read in parse.c -> check_lame_tag

[miorakun]

In the lame label check function, we first consider the mono and stereo value based on the input of two fixed values, which lame offset is equal to 32. Based on lsf

    off_t track_frames;
    off_t track_samples;
    double mean_framesize;
    off_t mean_frames;
    int fsizeold;
    int ssize;
    unsigned int bitreservoir;
    unsigned char bsspace[2][MAXFRAMESIZE+512]; /* MAXFRAMESIZE */
    unsigned char *bsbuf;
    unsigned char *bsbufold;
    int bsnum;

to handle by these function code the xing header must be 120 byte

• if(fr->framesize >= 120+lame_offset)

After that here as you can see fr->bsbuf[i] all of them can be controlled by the attacker without any restrictions and they will check and search it.

 for(i=2; i < lame_offset; ++i) if(fr->bsbuf[i] != 0) break;

            (
                       (fr->bsbuf[lame_offset] == 'I')
                && (fr->bsbuf[lame_offset+1] == 'n')
                && (fr->bsbuf[lame_offset+2] == 'f')
                && (fr->bsbuf[lame_offset+3] == 'o')
            )

The problem is that the value of bsbuf can be determined by the attacker and can change according to the input. If the value of bsbuf is 32 for example, +3 is returned when it was served in the last lookup. An out-of-range read may occur. This scenario can be implemented by sending a format file or communication based on voice in the form of an exploit code for the frame. NOTE:id3 structure