libming: listmp3: left shift in listmp3.c

[Agostino Sarubbo <ago () gentoo org>]

If it is suitable for a CVE please assign one. Thanks.

Description:
libming is a Flash (SWF) output library. It can be used from PHP, Perl, Ruby, 
Python, C, C++, Java, and probably more on the way..

A fuzzing revealed a left shift in listmp3. The bug does not reside in any 
shared object but if you have a web application that calls directly the 
listmp3 binary to parse untrusted mp3, then you are affected.

The complete UBSan output:

# listmp3 $FILE
listmp3.c:94:23: runtime error: left shift of negative value -1
listmp3.c:95:23: runtime error: left shift of negative value -1

Affected version:
0.4.7

Fixed version:
N/A

Commit fix:
N/A

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

CVE:
N/A

Reproducer:
https://github.com/asarubbo/poc/blob/master/00046-libming-leftshift-listmp3_c

Timeline:
2016-08-13: bug discovered
2016-10-20: bug reported to upstream
2016-11-09: blog post about the issue

Note:
This bug was found with American Fuzzy Lop.

Permalink:
https://blogs.gentoo.org/ago/2016/11/09/libming-listmp3-left-shift-in-listmp3-c