Slice Out-of-Bounds Panic in gopxl/beep/v2/mp3 When Decoding Malformed MP3 Input

[ac0d3r]

Summary

Decoding certain malformed MP3 inputs with "github.com/gopxl/beep/v2/mp3" may trigger a panic due to a slice out-of-bounds error. Since the original repository has been archived and cannot be patched, this issue is reported here for tracking and potential mitigation. If the library is exposed to untrusted input, it may lead to a denial-of-service (DoS) vulnerability.

Impact

A maliciously crafted MP3 input can cause a panic when passed to the mp3.Decode() function. If this library is used in a server context or exposed to untrusted inputs, it can lead to a denial-of-service by crashing the application.

Root Cause

The panic originates in the upstream library: github.com/hajimehoshi/go-mp3, which performs insufficient bounds checking when decoding MP3 frames. The repository is currently archived and no longer maintained.

Reproduction Steps

You can reproduce the panic with the following Go test:

package test

import (
	"bytes"
	"io"
	"testing"

	"github.com/gopxl/beep/v2/mp3"
)

func TestMP3PanicCase(t *testing.T) {
	r := io.NopCloser(bytes.NewReader([]byte("\xff\xf2000000000000000001\xb3000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000")))

	streamer, _, err := mp3.Decode(r)
	if err != nil {
		t.Fatal(err)
	}
	defer streamer.Close()
}
}

[MarkKremer]

Hello,

Thank you for reporting. Since github.com/hajimehoshi/go-mp3 is archived, I think the best (most doable) solution is to use recover to catch the panic and convert it to a normal error.

I welcome a PR, since I'm not spending much time on my computer currently.

[ac0d3r]

Sure, I'll work on a fix and open a PR soon. Thanks for the suggestion!