diff options
author | Jan Schmidt <jan@centricular.com> | 2016-12-09 17:57:52 +1100 |
---|---|---|
committer | Jan Schmidt <jan@centricular.com> | 2016-12-09 18:06:35 +1100 |
commit | d178f7626aa44dffcf995bb6fda3a0d6db5f7d18 (patch) | |
tree | 70aaa6daf1bd2126bb63c5ba2d27d80fb3c7d57a | |
parent | 226dfc3f329eda621ce21cb24349eadf4ffa1fa9 (diff) |
id3v2: Add missing overrun check for frame sizes
When frames claim to have a footer, ensure they
are large enough to contain one to avoid an invalid
read overrun.
Spotted by Joshua Yabut
-rw-r--r-- | gst-libs/gst/tag/id3v2.c | 10 |
1 files changed, 8 insertions, 2 deletions
diff --git a/gst-libs/gst/tag/id3v2.c b/gst-libs/gst/tag/id3v2.c index 4579d25d7..54f38fca1 100644 --- a/gst-libs/gst/tag/id3v2.c +++ b/gst-libs/gst/tag/id3v2.c @@ -236,10 +236,16 @@ gst_tag_list_from_id3v2_tag (GstBuffer * buffer) work.hdr.size = read_size; work.hdr.flags = flags; work.hdr.frame_data = info.data + ID3V2_HDR_SIZE; - if (flags & ID3V2_HDR_FLAG_FOOTER) + + if (flags & ID3V2_HDR_FLAG_FOOTER) { + if (read_size < ID3V2_HDR_SIZE + 10) + goto not_enough_data; /* Invalid frame size */ work.hdr.frame_data_size = read_size - ID3V2_HDR_SIZE - 10; - else + } else { + if (read_size < ID3V2_HDR_SIZE) + goto not_enough_data; /* Invalid frame size */ work.hdr.frame_data_size = read_size - ID3V2_HDR_SIZE; + } /* in v2.3 the frame sizes are not syncsafe, so the entire tag had to be * unsynced. In v2.4 the frame sizes are syncsafe so it's just the frame |