aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMax Kellermann <max@duempel.org>2009-07-18 22:45:56 +0200
committerMax Kellermann <max@duempel.org>2009-07-18 22:45:56 +0200
commita988b9b0259e7d0b1090913087369dd504cd0f45 (patch)
treeba1505e1cae1079527c38868dee3c4735aab0086
parentc8c91d9aaab1ea428fa4bafeb72775642e98603a (diff)
downloadmpd-a988b9b0259e7d0b1090913087369dd504cd0f45.tar.gz
mpd-a988b9b0259e7d0b1090913087369dd504cd0f45.tar.xz
mpd-a988b9b0259e7d0b1090913087369dd504cd0f45.zip
ape: check the tag size (fixes integer underflow)
The expression "tagLen - size > 0" may result in an integer underflow and a buffer overflow, when "size" is larger than "tagLen". "size" is read from the input file, and must not be trusted. This patch changes the expression to "tagLen > size", which is a lot safer.
-rw-r--r--NEWS2
-rw-r--r--src/tag_ape.c2
2 files changed, 3 insertions, 1 deletions
diff --git a/NEWS b/NEWS
index d6da68e72..66ad2cfed 100644
--- a/NEWS
+++ b/NEWS
@@ -1,4 +1,6 @@
ver 0.15.2 (2009/??/??)
+* tags:
+ - ape: check the tag size (fixes integer underflow)
ver 0.15.1 (2009/07/15)
diff --git a/src/tag_ape.c b/src/tag_ape.c
index d1249fcb2..0d504dc7d 100644
--- a/src/tag_ape.c
+++ b/src/tag_ape.c
@@ -112,7 +112,7 @@ tag_ape_load(const char *file)
/* get the key */
key = p;
- while (tagLen - size > 0 && *p != '\0') {
+ while (tagLen > size && *p != '\0') {
p++;
tagLen--;
}