id3v2: Add missing overrun check for frame sizes

When frames claim to have a footer, ensure they are large enough to contain one to avoid an invalid read overrun. Spotted by Joshua Yabut
author: Jan Schmidt <jan@centricular.com> 2016-12-09 17:57:52 +1100
committer: Jan Schmidt <jan@centricular.com> 2016-12-09 18:06:35 +1100
commit: d178f7626aa44dffcf995bb6fda3a0d6db5f7d18 (patch)
tree: 70aaa6daf1bd2126bb63c5ba2d27d80fb3c7d57a
parent: 226dfc3f329eda621ce21cb24349eadf4ffa1fa9 (diff)
1 files changed, 8 insertions, 2 deletions
diff --git a/gst-libs/gst/tag/id3v2.c b/gst-libs/gst/tag/id3v2.c
index 4579d25d7..54f38fca1 100644
--- a/gst-libs/gst/tag/id3v2.c
+++ b/gst-libs/gst/tag/id3v2.c
@@ -236,10 +236,16 @@ gst_tag_list_from_id3v2_tag (GstBuffer * buffer)
   work.hdr.size = read_size;
   work.hdr.flags = flags;
   work.hdr.frame_data = info.data + ID3V2_HDR_SIZE;
-  if (flags & ID3V2_HDR_FLAG_FOOTER)
+
+  if (flags & ID3V2_HDR_FLAG_FOOTER) {
+    if (read_size < ID3V2_HDR_SIZE + 10)
+      goto not_enough_data;     /* Invalid frame size */
     work.hdr.frame_data_size = read_size - ID3V2_HDR_SIZE - 10;
-  else
+  } else {
+    if (read_size < ID3V2_HDR_SIZE)
+      goto not_enough_data;     /* Invalid frame size */
     work.hdr.frame_data_size = read_size - ID3V2_HDR_SIZE;
+  }
 
   /* in v2.3 the frame sizes are not syncsafe, so the entire tag had to be
    * unsynced. In v2.4 the frame sizes are syncsafe so it's just the frame
author	Jan Schmidt <jan@centricular.com>	2016-12-09 17:57:52 +1100
committer	Jan Schmidt <jan@centricular.com>	2016-12-09 18:06:35 +1100
commit	d178f7626aa44dffcf995bb6fda3a0d6db5f7d18 (patch)
tree	70aaa6daf1bd2126bb63c5ba2d27d80fb3c7d57a
parent	226dfc3f329eda621ce21cb24349eadf4ffa1fa9 (diff)