Fix handling of the length of UTF-16 content sourced from, e.g., ID3 tags.

This avoids use of strlen(), which doesn't cope well with UTF-16, and
also has the ID3 parser double-NUL-terminate the buffered string.

3 files changed, 19 insertions, 7 deletions

diff --git a/ChangeLog b/ChangeLog
index 7c37a8a48..365077ee7 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -4,6 +4,7 @@ xine-lib (1.1.17) 2009-??-??
   * Correct invalid MIME info in the MOD demuxer.
   * Fix a resource leak in libdvdnav.
   * Properly NUL-terminate when reading ID3v2.2 tag content.
+  * Fix handling of the length of UTF-16 content sourced from, e.g., ID3 tags.
 
 xine-lib (1.1.16.3) 2009-04-03
   * Security fixes:
diff --git a/src/demuxers/id3.c b/src/demuxers/id3.c
index 1aebbc817..0d0ee7231 100644
--- a/src/demuxers/id3.c
+++ b/src/demuxers/id3.c
@@ -275,8 +275,8 @@ static int id3v22_interp_frame(input_plugin_t *input,
                                id3v22_frame_header_t *frame_header) {
   char *buf;
   int enc;
-  const size_t bufsize = frame_header->size +1;
-  if ( bufsize <= 2 ) /* frames has to be _at least_ 1 byte */
+  const size_t bufsize = frame_header->size + 2;
+  if ( bufsize <= 3 ) /* frames has to be _at least_ 1 byte */
     return 0;
   
   buf = malloc(bufsize);
@@ -287,6 +287,7 @@ static int id3v22_interp_frame(input_plugin_t *input,
 
   if (input->read (input, buf, frame_header->size) == frame_header->size) {
     buf[frame_header->size] = 0;
+    buf[frame_header->size + 1] = 0;
     enc = buf[0];
     if( enc >= ID3_ENCODING_COUNT )
       enc = 0;
@@ -472,8 +473,8 @@ static int id3v23_interp_frame(input_plugin_t *input,
                                id3v23_frame_header_t *frame_header) {
   char *buf;
   int enc;
-  const size_t bufsize = frame_header->size +1;
-  if ( bufsize <= 2 ) /* frames has to be _at least_ 1 byte */
+  const size_t bufsize = frame_header->size + 2;
+  if ( bufsize <= 3 ) /* frames has to be _at least_ 1 byte */
     return 0;
   
   buf = malloc(bufsize);
@@ -484,6 +485,7 @@ static int id3v23_interp_frame(input_plugin_t *input,
 
   if (input->read (input, buf, frame_header->size) == frame_header->size) {
     buf[frame_header->size] = 0;
+    buf[frame_header->size + 1] = 0;
     enc = buf[0];
     if( enc >= ID3_ENCODING_COUNT )
       enc = 0;
@@ -726,8 +728,8 @@ static int id3v24_interp_frame(input_plugin_t *input,
                                id3v24_frame_header_t *frame_header) {
   char *buf;
   int enc;
-  const size_t bufsize = frame_header->size +1;
-  if ( bufsize <= 2 ) /* frames has to be _at least_ 1 byte */
+  const size_t bufsize = frame_header->size + 2;
+  if ( bufsize <= 3 ) /* frames has to be _at least_ 1 byte */
     return 0;
   
   buf = malloc(bufsize);
@@ -738,6 +740,7 @@ static int id3v24_interp_frame(input_plugin_t *input,
 
   if (input->read (input, buf, frame_header->size) == frame_header->size) {
     buf[frame_header->size] = 0;
+    buf[frame_header->size + 1] = 0;
     enc = buf[0];
     if( enc >= ID3_ENCODING_COUNT )
       enc = 0;
diff --git a/src/xine-engine/info_helper.c b/src/xine-engine/info_helper.c
index 34d1bbdba..6ce9bcd38 100644
--- a/src/xine-engine/info_helper.c
+++ b/src/xine-engine/info_helper.c
@@ -251,7 +251,15 @@ static void meta_info_set_unlocked_encoding(xine_stream_t *stream, int info, con
         size_t inbytesleft, outbytesleft;
 
         inbuf = (ICONV_CONST char *)value;
-        inbytesleft = strlen(value);
+        if (!strncmp (enc, "UTF-16", 6) || !strncmp (enc, "UCS-2", 5))
+        {
+          /* strlen() won't work with UTF-16* or UCS-2* */
+          inbytesleft = 0;
+          while (value[inbytesleft] || value[inbytesleft + 1])
+            inbytesleft += 2;
+        } /* ... do we need to handle UCS-4? Probably not. */
+        else
+          inbytesleft = strlen(value);
         outbytesleft = 4 * inbytesleft; /* estimative (max) */
         outbuf = utf8_value = malloc(outbytesleft+1);