diff options
| author | Darren Salt <linux@youmustbejoking.demon.co.uk> | 2008-02-07 17:51:59 +0000 |
|---|---|---|
| committer | Darren Salt <linux@youmustbejoking.demon.co.uk> | 2008-02-07 17:51:59 +0000 |
| commit | 5c051b721ee7ff79ae655660e9695563a902945c (patch) | |
| tree | f561e224b3b20f5b8ccc86fa1d96c3f3dcdab8fe /src/demuxers | |
| parent | 89c18074b7f0afb74b5abbfc4a444f41c52f2344 (diff) | |
| download | xine-lib-5c051b721ee7ff79ae655660e9695563a902945c.tar.gz xine-lib-5c051b721ee7ff79ae655660e9695563a902945c.tar.bz2 | |
Add length checking in the FLAC metadata-parsing code.
Make the tracknumber/tracktotal buffer larger (possible overflow).
Diffstat (limited to 'src/demuxers')
| -rw-r--r-- | src/demuxers/demux_flac.c | 15 |
1 files changed, 11 insertions, 4 deletions
diff --git a/src/demuxers/demux_flac.c b/src/demuxers/demux_flac.c index 23e2faef9..e5d1297a2 100644 --- a/src/demuxers/demux_flac.c +++ b/src/demuxers/demux_flac.c @@ -189,7 +189,7 @@ static int open_flac_file(demux_flac_t *flac) { case 4: lprintf ("VORBIS_COMMENT metadata\n"); { - char comments[block_length]; + char comments[block_length + 1]; /* last byte for NUL termination */ char *ptr = comments; uint32_t length, user_comment_list_length; int cn; @@ -202,18 +202,25 @@ static int open_flac_file(demux_flac_t *flac) { length = _X_LE_32(ptr); ptr += 4 + length; + if (length >= block_length - 8) + return 0; /* bad length or too little left in the buffer */ user_comment_list_length = _X_LE_32(ptr); ptr += 4; cn = 0; for (; cn < user_comment_list_length; cn++) { + if (ptr > comments + block_length - 4) + return 0; /* too little left in the buffer */ + length = _X_LE_32(ptr); ptr += 4; + if (length >= block_length || ptr + length > comments + block_length) + return 0; /* bad length */ comment = (char*) ptr; c = comment[length]; - comment[length] = 0; + comment[length] = 0; /* NUL termination */ lprintf ("comment[%02d] = %s\n", cn, comment); @@ -248,8 +255,8 @@ static int open_flac_file(demux_flac_t *flac) { } if ((tracknumber > 0) && (tracktotal > 0)) { - char tn[16]; - snprintf (tn, 16, "%02d/%02d", tracknumber, tracktotal); + char tn[24]; + snprintf (tn, 24, "%02d/%02d", tracknumber, tracktotal); _x_meta_info_set(flac->stream, XINE_META_INFO_TRACK_NUMBER, tn); } else if (tracknumber > 0) { |