aboutsummaryrefslogtreecommitdiffstats
path: root/src
diff options
context:
space:
mode:
authorMax Kellermann <max@duempel.org>2009-07-18 22:45:56 +0200
committerMax Kellermann <max@duempel.org>2009-07-18 22:45:56 +0200
commita988b9b0259e7d0b1090913087369dd504cd0f45 (patch)
treeba1505e1cae1079527c38868dee3c4735aab0086 /src
parentc8c91d9aaab1ea428fa4bafeb72775642e98603a (diff)
downloadmpd-a988b9b0259e7d0b1090913087369dd504cd0f45.tar.gz
mpd-a988b9b0259e7d0b1090913087369dd504cd0f45.tar.xz
mpd-a988b9b0259e7d0b1090913087369dd504cd0f45.zip
ape: check the tag size (fixes integer underflow)
The expression "tagLen - size > 0" may result in an integer underflow and a buffer overflow, when "size" is larger than "tagLen". "size" is read from the input file, and must not be trusted. This patch changes the expression to "tagLen > size", which is a lot safer.
Diffstat (limited to 'src')
-rw-r--r--src/tag_ape.c2
1 files changed, 1 insertions, 1 deletions
diff --git a/src/tag_ape.c b/src/tag_ape.c
index d1249fcb2..0d504dc7d 100644
--- a/src/tag_ape.c
+++ b/src/tag_ape.c
@@ -112,7 +112,7 @@ tag_ape_load(const char *file)
/* get the key */
key = p;
- while (tagLen - size > 0 && *p != '\0') {
+ while (tagLen > size && *p != '\0') {
p++;
tagLen--;
}