thr3ads.net - Icecast dev - [icecast-dev] bug in cvs version of icecast2? [Aug 2004]

If this information is useful, please help other people find it:
Share via:

Emil Styrke

2004-Aug-06 14:57 UTC

[icecast-dev] bug in cvs version of icecast2?

Hi!

I found out that icecast will crash when trying to stream a title or
artist with % in the name.  The cause seems to be in stats.c, line 158
where the text is sent as a format string to vsnprintf.  This could
possibly be used for an exploit too.  The solution I came up with is
to call stats_event instead of stats_event_args from
format_vorbis_get_buffer in format_vorbis.c.  I've included a patch
below.

        /Emil

Index: format_vorbis.c
==================================================================RCS file:
/usr/local/cvsroot/icecast/src/format_vorbis.c,v
retrieving revision 1.6
diff -r1.6 format_vorbis.c
144,145c144,145
<                               if (tag) stats_event_args(self->mount,
"title", tag);
<                               else stats_event_args(self->mount,
"title", "unknown");

--->                               if (tag) stats_event(self->mount,
"title", tag);
>                               else stats_event(self->mount,
"title", "unknown");147,148c147,148
<                               if (tag) stats_event_args(self->mount,
"artist", tag);
<                               else stats_event_args(self->mount,
"artist", "unknown");
--->                               if (tag) stats_event(self->mount,
"artist", tag);
>                               else stats_event(self->mount,
"artist", "unknown");
<p>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: part
Type: application/pgp-signature
Size: 233 bytes
Desc: not available
Url :
http://lists.xiph.org/pipermail/icecast-dev/attachments/20020602/fe764234/part.pgp

Michael Smith

2004-Aug-06 14:57 UTC

head link

[icecast-dev] bug in cvs version of icecast2?

At 09:59 PM 6/2/02 +0200, you wrote:>Hi!
>
>I found out that icecast will crash when trying to stream a title or
>artist with % in the name.  The cause seems to be in stats.c, line 158
>where the text is sent as a format string to vsnprintf.  This could
>possibly be used for an exploit too.  The solution I came up with is
>to call stats_event instead of stats_event_args from
>format_vorbis_get_buffer in format_vorbis.c.  I've included a patch
>below.
Argh! You'd think people would have learnt by now...

Thanks a lot for the patch! I've just committed it.

Michael

<p>--- >8 ----
List archives:  http://www.xiph.org/archives/
icecast project homepage: http://www.icecast.org/
To unsubscribe from this list, send a message to
'icecast-dev-request@xiph.org'
containing only the word 'unsubscribe' in the body.  No subject is
needed.
Unsubscribe messages sent to the list will be ignored/filtered.

Seemingly Similar Threads

Search for more reasonably related threads

Icecast dev - Aug 2004 - bug in cvs version of icecast2?

[icecast-dev] bug in cvs version of icecast2?

[icecast-dev] bug in cvs version of icecast2?

Seemingly Similar Threads