diff options
| author | Max Kellermann <max@duempel.org> | 2009-07-19 17:38:46 +0200 |
|---|---|---|
| committer | Max Kellermann <max@duempel.org> | 2009-07-19 17:38:46 +0200 |
| commit | 0ce727d5d459c2319edc507eb2e71af8a1c9d5dc (patch) | |
| tree | c05bb8dc3fdb6339775c3b423cca318f75fd65a2 /src/tag_ape.c | |
| parent | e3ff0ab6d1f378aec9b98fe930ca42d1f428409e (diff) | |
ape: added protection against large memory allocations
The function tag_ape_load() retrieves a 32 bit unsigned integer from
the input file, and passes it to g_malloc(). This is dangerous, and
may be used for a denial of service attack on MPD.
Diffstat (limited to 'src/tag_ape.c')
| -rw-r--r-- | src/tag_ape.c | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/src/tag_ape.c b/src/tag_ape.c index ef921141..7cbf3220 100644 --- a/src/tag_ape.c +++ b/src/tag_ape.c @@ -89,6 +89,9 @@ tag_ape_load(const char *file) tagLen = GUINT32_FROM_LE(footer.length); if (tagLen <= sizeof(footer) + 10) goto fail; + if (tagLen > 1024 * 1024) + /* refuse to load more than one megabyte of tag data */ + goto fail; if (fseek(fp, size - tagLen, SEEK_SET)) goto fail; |