Reported

April 28, 2025

Issued

April 30, 2025 (last modified: May 6, 2025)

Package

mp3-metadata (crates.io)

Type

INFO Unsound

Categories

• denial-of-service

References

• https://github.com/GuillaumeGomez/mp3-metadata/issues/36

Patched

• >=0.4.0

Affected Functions

Version

mp3_metadata::read_from_slice

• <0.4.0

Description

The get_id3() methods used by mp3_metadata::read_from_slice() does not perform adequate bounds checking when recreating the tag due to the use of desynchronization.

Fixed in Fix index error, released as part of 0.4.0.

Advisory available under CC0-1.0 license.