2 files changed, 13 insertions, 7 deletions

diff --git a/src/demuxers/demux_flac.c b/src/demuxers/demux_flac.c
index 23e2faef9..e5d1297a2 100644
--- a/src/demuxers/demux_flac.c
+++ b/src/demuxers/demux_flac.c
@@ -189,7 +189,7 @@ static int open_flac_file(demux_flac_t *flac) {
     case 4:
       lprintf ("VORBIS_COMMENT metadata\n");
       {
-        char comments[block_length];
+        char comments[block_length + 1]; /* last byte for NUL termination */
         char *ptr = comments;
         uint32_t length, user_comment_list_length;
         int cn;
@@ -202,18 +202,25 @@ static int open_flac_file(demux_flac_t *flac) {
 
           length = _X_LE_32(ptr);
           ptr += 4 + length;
+          if (length >= block_length - 8)
+            return 0; /* bad length or too little left in the buffer */
 
           user_comment_list_length = _X_LE_32(ptr);
           ptr += 4;
 
           cn = 0;
           for (; cn < user_comment_list_length; cn++) {
+            if (ptr > comments + block_length - 4)
+              return 0; /* too little left in the buffer */
+
             length = _X_LE_32(ptr);
             ptr += 4;
+            if (length >= block_length || ptr + length > comments + block_length)
+              return 0; /* bad length */
 
             comment = (char*) ptr;
             c = comment[length];
-            comment[length] = 0;
+            comment[length] = 0; /* NUL termination */
 
             lprintf ("comment[%02d] = %s\n", cn, comment);
 
@@ -248,8 +255,8 @@ static int open_flac_file(demux_flac_t *flac) {
           }
 
           if ((tracknumber > 0) && (tracktotal > 0)) {
-            char tn[16];
-            snprintf (tn, 16, "%02d/%02d", tracknumber, tracktotal);
+            char tn[24];
+            snprintf (tn, 24, "%02d/%02d", tracknumber, tracktotal);
             _x_meta_info_set(flac->stream, XINE_META_INFO_TRACK_NUMBER, tn);
           }
           else if (tracknumber > 0) {
diff --git a/src/demuxers/demux_mpgaudio.c b/src/demuxers/demux_mpgaudio.c
index 1bea02302..82a7dd7ab 100644
--- a/src/demuxers/demux_mpgaudio.c
+++ b/src/demuxers/demux_mpgaudio.c
@@ -807,7 +807,6 @@ static int demux_mpgaudio_read_head(input_plugin_t *input, uint8_t *buf) {
  * return 1 if detected, 0 otherwise
  */
 static int detect_mpgaudio_file(input_plugin_t *input) {
-  mpg_audio_frame_t frame;
   uint8_t buf[MAX_PREVIEW_SIZE];
   int preview_len;
   uint32_t head;
@@ -838,8 +837,8 @@ static int detect_mpgaudio_file(input_plugin_t *input) {
       lprintf("cannot read mp3 frame header\n");
       return 0;
     }
-    if (!parse_frame_header(&frame, &buf[10 + tag_size])) {
-      lprintf ("invalid mp3 frame header\n");
+    if (!sniff_buffer_looks_like_mp3(&buf[10 + tag_size], preview_len - 10 - tag_size)) {
+      lprintf ("sniff_buffer_looks_like_mp3 failed\n");
       return 0;
     } else {
       lprintf ("a valid mp3 frame follows the id3v2 tag\n");