Merged release 0.15.2 from branch 'v0.15.x'

Conflicts: NEWS configure.ac
author: Max Kellermann <max@duempel.org> 2009-08-15 21:18:38 +0200
committer: Max Kellermann <max@duempel.org> 2009-08-15 21:18:38 +0200
commit: f401c1059c78358b701dbee22ca78035c6e652eb (patch)
tree: 5cf487eea76b70b91e6acee8f55b6ca135b45a4a /src/tag_ape.c
parent: e28a0e97b5d2e54684c6452d6d45f64ff1e542d9 (diff)
parent: 5715534b530cfed0d6650b0fb34cfcb17da4088b (diff)
1 files changed, 8 insertions, 4 deletions
diff --git a/src/tag_ape.c b/src/tag_ape.c
index 4c3f4cf1..e3b848bf 100644
--- a/src/tag_ape.c
+++ b/src/tag_ape.c
@@ -22,6 +22,7 @@
 
 #include <glib.h>
 
+#include <assert.h>
 #include <stdio.h>
 
 static const char *const ape_tag_names[] = {
@@ -95,15 +96,18 @@ tag_ape_load(const char *file)
 
 	/* find beginning of ape tag */
 	tagLen = GUINT32_FROM_LE(footer.length);
-	if (tagLen < sizeof(footer))
+	if (tagLen <= sizeof(footer) + 10)
+		goto fail;
+	if (tagLen > 1024 * 1024)
+		/* refuse to load more than one megabyte of tag data */
 		goto fail;
 	if (fseek(fp, size - tagLen, SEEK_SET))
 		goto fail;
 
 	/* read tag into buffer */
 	tagLen -= sizeof(footer);
-	if (tagLen <= 0)
-		goto fail;
+	assert(tagLen > 10);
+
 	buffer = g_malloc(tagLen);
 	if (fread(buffer, 1, tagLen, fp) != tagLen)
 		goto fail;
@@ -121,7 +125,7 @@ tag_ape_load(const char *file)
 
 		/* get the key */
 		key = p;
-		while (tagLen - size > 0 && *p != '\0') {
+		while (tagLen > size && *p != '\0') {
 			p++;
 			tagLen--;
 		}
author	Max Kellermann <max@duempel.org>	2009-08-15 21:18:38 +0200
committer	Max Kellermann <max@duempel.org>	2009-08-15 21:18:38 +0200
commit	f401c1059c78358b701dbee22ca78035c6e652eb (patch)
tree	5cf487eea76b70b91e6acee8f55b6ca135b45a4a /src/tag_ape.c
parent	e28a0e97b5d2e54684c6452d6d45f64ff1e542d9 (diff)
parent	5715534b530cfed0d6650b0fb34cfcb17da4088b (diff)