From ca5eaffc16b9ace0ea7af519ef949bf014f42120 Mon Sep 17 00:00:00 2001
From: Max Kellermann <max@duempel.org>
Date: Tue, 26 Aug 2008 08:27:11 +0200
Subject: aac: check buffer lengths

The AAC plugin sometimes does not check the length of available data
when checking for magic prefixes.  Add length checks.
---
 src/inputPlugins/aac_plugin.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

(limited to 'src/inputPlugins/aac_plugin.c')

diff --git a/src/inputPlugins/aac_plugin.c b/src/inputPlugins/aac_plugin.c
index e9eccf31a..faddb78c6 100644
--- a/src/inputPlugins/aac_plugin.c
+++ b/src/inputPlugins/aac_plugin.c
@@ -196,7 +196,7 @@ static void initAacBuffer(InputStream * inStream, AacBuffer * b, float *length)
 	fillAacBuffer(b);
 
 	tagsize = 0;
-	if (!memcmp(b->buffer, "ID3", 3)) {
+	if (b->bytesIntoBuffer >= 10 && !memcmp(b->buffer, "ID3", 3)) {
 		tagsize = (b->buffer[6] << 21) | (b->buffer[7] << 14) |
 		    (b->buffer[8] << 7) | (b->buffer[9] << 0);
 
@@ -208,7 +208,8 @@ static void initAacBuffer(InputStream * inStream, AacBuffer * b, float *length)
 	if (length == NULL)
 		return;
 
-	if ((b->buffer[0] == 0xFF) && ((b->buffer[1] & 0xF6) == 0xF0)) {
+	if (b->bytesIntoBuffer >= 2 &&
+	    (b->buffer[0] == 0xFF) && ((b->buffer[1] & 0xF6) == 0xF0)) {
 		adtsParse(b, length);
 		seekInputStream(b->inStream, tagsize, SEEK_SET);
 
-- 
cgit v1.2.3