The scan() function in mad.c in mpg321 0.3.2 allows remote attackers to trigger an out-of-bounds write via a zero bitrate in an MP3 file. References: https://sourceforge.net/p/mpg321/bugs/51/