diff options
author | Max Kellermann <max@duempel.org> | 2008-08-26 08:27:11 +0200 |
---|---|---|
committer | Eric Wong <normalperson@yhbt.net> | 2008-08-30 18:45:13 -0700 |
commit | ca5eaffc16b9ace0ea7af519ef949bf014f42120 (patch) | |
tree | 2d418ebd0cccf15011ed773f5718b97f08af5132 | |
parent | 20755291951a9cb9e21afba763a80015229e7655 (diff) | |
download | mpd-ca5eaffc16b9ace0ea7af519ef949bf014f42120.tar.gz mpd-ca5eaffc16b9ace0ea7af519ef949bf014f42120.tar.xz mpd-ca5eaffc16b9ace0ea7af519ef949bf014f42120.zip |
aac: check buffer lengths
The AAC plugin sometimes does not check the length of available data
when checking for magic prefixes. Add length checks.
-rw-r--r-- | src/inputPlugins/aac_plugin.c | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/src/inputPlugins/aac_plugin.c b/src/inputPlugins/aac_plugin.c index e9eccf31a..faddb78c6 100644 --- a/src/inputPlugins/aac_plugin.c +++ b/src/inputPlugins/aac_plugin.c @@ -196,7 +196,7 @@ static void initAacBuffer(InputStream * inStream, AacBuffer * b, float *length) fillAacBuffer(b); tagsize = 0; - if (!memcmp(b->buffer, "ID3", 3)) { + if (b->bytesIntoBuffer >= 10 && !memcmp(b->buffer, "ID3", 3)) { tagsize = (b->buffer[6] << 21) | (b->buffer[7] << 14) | (b->buffer[8] << 7) | (b->buffer[9] << 0); @@ -208,7 +208,8 @@ static void initAacBuffer(InputStream * inStream, AacBuffer * b, float *length) if (length == NULL) return; - if ((b->buffer[0] == 0xFF) && ((b->buffer[1] & 0xF6) == 0xF0)) { + if (b->bytesIntoBuffer >= 2 && + (b->buffer[0] == 0xFF) && ((b->buffer[1] & 0xF6) == 0xF0)) { adtsParse(b, length); seekInputStream(b->inStream, tagsize, SEEK_SET); |