aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMax Kellermann <max@duempel.org>2009-07-19 17:38:46 +0200
committerMax Kellermann <max@duempel.org>2009-07-19 17:38:46 +0200
commit0ce727d5d459c2319edc507eb2e71af8a1c9d5dc (patch)
treec05bb8dc3fdb6339775c3b423cca318f75fd65a2
parente3ff0ab6d1f378aec9b98fe930ca42d1f428409e (diff)
downloadmpd-0ce727d5d459c2319edc507eb2e71af8a1c9d5dc.tar.gz
mpd-0ce727d5d459c2319edc507eb2e71af8a1c9d5dc.tar.xz
mpd-0ce727d5d459c2319edc507eb2e71af8a1c9d5dc.zip
ape: added protection against large memory allocations
The function tag_ape_load() retrieves a 32 bit unsigned integer from the input file, and passes it to g_malloc(). This is dangerous, and may be used for a denial of service attack on MPD.
-rw-r--r--NEWS1
-rw-r--r--src/tag_ape.c3
2 files changed, 4 insertions, 0 deletions
diff --git a/NEWS b/NEWS
index 66ad2cfed..8e2c59b78 100644
--- a/NEWS
+++ b/NEWS
@@ -1,6 +1,7 @@
ver 0.15.2 (2009/??/??)
* tags:
- ape: check the tag size (fixes integer underflow)
+ - ape: added protection against large memory allocations
ver 0.15.1 (2009/07/15)
diff --git a/src/tag_ape.c b/src/tag_ape.c
index ef921141b..7cbf32208 100644
--- a/src/tag_ape.c
+++ b/src/tag_ape.c
@@ -89,6 +89,9 @@ tag_ape_load(const char *file)
tagLen = GUINT32_FROM_LE(footer.length);
if (tagLen <= sizeof(footer) + 10)
goto fail;
+ if (tagLen > 1024 * 1024)
+ /* refuse to load more than one megabyte of tag data */
+ goto fail;
if (fseek(fp, size - tagLen, SEEK_SET))
goto fail;