CVE-2017-10683
Description
In mpg123 1.25.0, the convert_latin1 function in libmpg123/id3.c has a heap-based buffer over-read that can be triggered remotely via a crafted MP3 file, leading to denial of service.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
In mpg123 1.25.0, the convert_latin1 function in libmpg123/id3.c has a heap-based buffer over-read that can be triggered remotely via a crafted MP3 file, leading to denial of service.
Vulnerability
In mpg123 version 1.25.0, the function convert_latin1 in libmpg123/id3.c contains a heap-based buffer over-read vulnerability. A crafted input file can cause the function to read beyond the bounds of an allocated heap buffer, as demonstrated by the proof-of-concept file POC1. The issue is reachable when mpg123 processes MPEG streams, and the heap-buffer-overflow is reported by AddressSanitizer at a READ of size 1 at an address 0 bytes to the right of a 37-byte region [1].
Exploitation
An attacker can exploit this vulnerability by supplying a specially crafted MP3 file that, when processed by mpg123 (e.g., via the command $./mpg123 POC1), triggers the heap-based buffer over-read in the convert_latin1 function. No special authentication or elevated privileges are required; the attack can be carried out remotely by inducing a victim to play the malicious file. The exploit does not require user interaction beyond opening the file [1].
Impact
Successful exploitation leads to a remote denial of service attack, as the buffer over-read can cause the application to crash. The crash is due to reading invalid memory, which may also result in the disclosure of sensitive memory contents in certain configurations, but the primary impact is denial of service. No code execution or privilege escalation is described in the available references [1].
Mitigation
As of the publication date (2017-06-29), no official patch for this issue in mpg123 1.25.0 has been released. Users are advised to monitor the mpg123 project for updates and apply the fix when available. Until then, exercising caution when opening untrusted MP3 files is recommended. The vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog [1].
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing bounds check in convert_latin1 allows reading past the end of a heap buffer when processing Latin-1 ID3 text."
Attack vector
An attacker provides a crafted MP3 file containing a malformed ID3 tag. When mpg123 parses the ID3v2 frame (e.g., "TPE1"), the `convert_latin1` function reads past the end of a heap-allocated buffer [CWE-125][ref_id=1]. The ASan report shows a READ of size 1 at offset 0 bytes to the right of a 37-byte region, confirming the out-of-bounds read [ref_id=1]. No authentication or special privileges are required; the victim only needs to open the malicious file with mpg123.
Affected code
The heap-based buffer over-read occurs in the `convert_latin1` function in `src/libmpg123/id3.c` at line 979 [ref_id=1]. The call chain starts from `INT123_parse_new_id3` through `process_text` and `store_id3_text` to `INT123_id3_to_utf8`, which invokes `convert_latin1` [ref_id=1].
What the fix does
The Red Hat bug report does not include a patch diff, but the fix was released in mpg123 version 1.25.6, as indicated by the Fedora updates pushed to stable repositories [ref_id=1]. The advisory does not specify the exact code change; however, the remediation addresses the missing bounds check in `convert_latin1` that caused the over-read when processing Latin-1 encoded ID3 text [ref_id=1].
Preconditions
- inputVictim must open a crafted MP3 file with mpg123
- authNo authentication or special privileges required
- networkAttacker delivers the file over the network (e.g., download or stream)
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- bugzilla.redhat.com/show_bug.cginvdIssue Tracking
News mentions
0No linked articles in our index yet.