From e3ff0ab6d1f378aec9b98fe930ca42d1f428409e Mon Sep 17 00:00:00 2001
From: Max Kellermann <max@duempel.org>
Date: Sun, 19 Jul 2009 17:37:02 +0200
Subject: tag_ape: removed redundant length check

Extend the tagLen check after reading it.  Removed the second
(redundant) check after the subtraction.
---
 src/tag_ape.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/src/tag_ape.c b/src/tag_ape.c
index 0d504dc7d..ef921141b 100644
--- a/src/tag_ape.c
+++ b/src/tag_ape.c
@@ -22,6 +22,7 @@
 
 #include <glib.h>
 
+#include <assert.h>
 #include <stdio.h>
 
 struct tag *
@@ -86,15 +87,15 @@ tag_ape_load(const char *file)
 
 	/* find beginning of ape tag */
 	tagLen = GUINT32_FROM_LE(footer.length);
-	if (tagLen < sizeof(footer))
+	if (tagLen <= sizeof(footer) + 10)
 		goto fail;
 	if (fseek(fp, size - tagLen, SEEK_SET))
 		goto fail;
 
 	/* read tag into buffer */
 	tagLen -= sizeof(footer);
-	if (tagLen <= 0)
-		goto fail;
+	assert(tagLen > 10);
+
 	buffer = g_malloc(tagLen);
 	if (fread(buffer, 1, tagLen, fp) != tagLen)
 		goto fail;
-- 
cgit v1.2.3