diff options
author | Max Kellermann <max@duempel.org> | 2009-08-15 21:18:38 +0200 |
---|---|---|
committer | Max Kellermann <max@duempel.org> | 2009-08-15 21:18:38 +0200 |
commit | f401c1059c78358b701dbee22ca78035c6e652eb (patch) | |
tree | 5cf487eea76b70b91e6acee8f55b6ca135b45a4a /src/tag_ape.c | |
parent | e28a0e97b5d2e54684c6452d6d45f64ff1e542d9 (diff) | |
parent | 5715534b530cfed0d6650b0fb34cfcb17da4088b (diff) |
Merged release 0.15.2 from branch 'v0.15.x'
Conflicts:
NEWS
configure.ac
Diffstat (limited to 'src/tag_ape.c')
-rw-r--r-- | src/tag_ape.c | 12 |
1 files changed, 8 insertions, 4 deletions
diff --git a/src/tag_ape.c b/src/tag_ape.c index 4c3f4cf1..e3b848bf 100644 --- a/src/tag_ape.c +++ b/src/tag_ape.c @@ -22,6 +22,7 @@ #include <glib.h> +#include <assert.h> #include <stdio.h> static const char *const ape_tag_names[] = { @@ -95,15 +96,18 @@ tag_ape_load(const char *file) /* find beginning of ape tag */ tagLen = GUINT32_FROM_LE(footer.length); - if (tagLen < sizeof(footer)) + if (tagLen <= sizeof(footer) + 10) + goto fail; + if (tagLen > 1024 * 1024) + /* refuse to load more than one megabyte of tag data */ goto fail; if (fseek(fp, size - tagLen, SEEK_SET)) goto fail; /* read tag into buffer */ tagLen -= sizeof(footer); - if (tagLen <= 0) - goto fail; + assert(tagLen > 10); + buffer = g_malloc(tagLen); if (fread(buffer, 1, tagLen, fp) != tagLen) goto fail; @@ -121,7 +125,7 @@ tag_ape_load(const char *file) /* get the key */ key = p; - while (tagLen - size > 0 && *p != '\0') { + while (tagLen > size && *p != '\0') { p++; tagLen--; } |