diff options
| author | Max Kellermann <max@duempel.org> | 2009-07-18 22:45:56 +0200 |
|---|---|---|
| committer | Max Kellermann <max@duempel.org> | 2009-07-18 22:45:56 +0200 |
| commit | a988b9b0259e7d0b1090913087369dd504cd0f45 (patch) | |
| tree | ba1505e1cae1079527c38868dee3c4735aab0086 /src | |
| parent | c8c91d9aaab1ea428fa4bafeb72775642e98603a (diff) | |
| download | mpd-a988b9b0259e7d0b1090913087369dd504cd0f45.tar.gz mpd-a988b9b0259e7d0b1090913087369dd504cd0f45.tar.xz mpd-a988b9b0259e7d0b1090913087369dd504cd0f45.zip | |
ape: check the tag size (fixes integer underflow)
The expression "tagLen - size > 0" may result in an integer underflow
and a buffer overflow, when "size" is larger than "tagLen". "size" is
read from the input file, and must not be trusted. This patch changes
the expression to "tagLen > size", which is a lot safer.
Diffstat (limited to 'src')
| -rw-r--r-- | src/tag_ape.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/src/tag_ape.c b/src/tag_ape.c index d1249fcb2..0d504dc7d 100644 --- a/src/tag_ape.c +++ b/src/tag_ape.c @@ -112,7 +112,7 @@ tag_ape_load(const char *file) /* get the key */ key = p; - while (tagLen - size > 0 && *p != '\0') { + while (tagLen > size && *p != '\0') { p++; tagLen--; } |