aac: check buffer lengths

The AAC plugin sometimes does not check the length of available data when checking for magic prefixes. Add length checks.
author: Max Kellermann <max@duempel.org> 2008-08-26 08:27:11 +0200
committer: Eric Wong <normalperson@yhbt.net> 2008-08-30 18:45:13 -0700
commit: ca5eaffc16b9ace0ea7af519ef949bf014f42120 (patch)
tree: 2d418ebd0cccf15011ed773f5718b97f08af5132 /src
parent: 20755291951a9cb9e21afba763a80015229e7655 (diff)
download: mpd-ca5eaffc16b9ace0ea7af519ef949bf014f42120.tar.gz
mpd-ca5eaffc16b9ace0ea7af519ef949bf014f42120.tar.xz
mpd-ca5eaffc16b9ace0ea7af519ef949bf014f42120.zip
1 files changed, 3 insertions, 2 deletions
diff --git a/src/inputPlugins/aac_plugin.c b/src/inputPlugins/aac_plugin.c
index e9eccf31a..faddb78c6 100644
--- a/src/inputPlugins/aac_plugin.c
+++ b/src/inputPlugins/aac_plugin.c
@@ -196,7 +196,7 @@ static void initAacBuffer(InputStream * inStream, AacBuffer * b, float *length)
 	fillAacBuffer(b);
 
 	tagsize = 0;
-	if (!memcmp(b->buffer, "ID3", 3)) {
+	if (b->bytesIntoBuffer >= 10 && !memcmp(b->buffer, "ID3", 3)) {
 		tagsize = (b->buffer[6] << 21) | (b->buffer[7] << 14) |
 		    (b->buffer[8] << 7) | (b->buffer[9] << 0);
 
@@ -208,7 +208,8 @@ static void initAacBuffer(InputStream * inStream, AacBuffer * b, float *length)
 	if (length == NULL)
 		return;
 
-	if ((b->buffer[0] == 0xFF) && ((b->buffer[1] & 0xF6) == 0xF0)) {
+	if (b->bytesIntoBuffer >= 2 &&
+	    (b->buffer[0] == 0xFF) && ((b->buffer[1] & 0xF6) == 0xF0)) {
 		adtsParse(b, length);
 		seekInputStream(b->inStream, tagsize, SEEK_SET);
author	Max Kellermann <max@duempel.org>	2008-08-26 08:27:11 +0200
committer	Eric Wong <normalperson@yhbt.net>	2008-08-30 18:45:13 -0700
commit	ca5eaffc16b9ace0ea7af519ef949bf014f42120 (patch)
tree	2d418ebd0cccf15011ed773f5718b97f08af5132 /src
parent	20755291951a9cb9e21afba763a80015229e7655 (diff)
download	mpd-ca5eaffc16b9ace0ea7af519ef949bf014f42120.tar.gz mpd-ca5eaffc16b9ace0ea7af519ef949bf014f42120.tar.xz mpd-ca5eaffc16b9ace0ea7af519ef949bf014f42120.zip