diff options
author | Max Kellermann <max@duempel.org> | 2009-07-18 22:45:56 +0200 |
---|---|---|
committer | Max Kellermann <max@duempel.org> | 2009-07-18 22:45:56 +0200 |
commit | a988b9b0259e7d0b1090913087369dd504cd0f45 (patch) | |
tree | ba1505e1cae1079527c38868dee3c4735aab0086 | |
parent | c8c91d9aaab1ea428fa4bafeb72775642e98603a (diff) | |
download | mpd-a988b9b0259e7d0b1090913087369dd504cd0f45.tar.gz mpd-a988b9b0259e7d0b1090913087369dd504cd0f45.tar.xz mpd-a988b9b0259e7d0b1090913087369dd504cd0f45.zip |
ape: check the tag size (fixes integer underflow)
The expression "tagLen - size > 0" may result in an integer underflow
and a buffer overflow, when "size" is larger than "tagLen". "size" is
read from the input file, and must not be trusted. This patch changes
the expression to "tagLen > size", which is a lot safer.
Diffstat (limited to '')
-rw-r--r-- | NEWS | 2 | ||||
-rw-r--r-- | src/tag_ape.c | 2 |
2 files changed, 3 insertions, 1 deletions
@@ -1,4 +1,6 @@ ver 0.15.2 (2009/??/??) +* tags: + - ape: check the tag size (fixes integer underflow) ver 0.15.1 (2009/07/15) diff --git a/src/tag_ape.c b/src/tag_ape.c index d1249fcb2..0d504dc7d 100644 --- a/src/tag_ape.c +++ b/src/tag_ape.c @@ -112,7 +112,7 @@ tag_ape_load(const char *file) /* get the key */ key = p; - while (tagLen - size > 0 && *p != '\0') { + while (tagLen > size && *p != '\0') { p++; tagLen--; } |