ref: 66803a3a42948ace7c62d8bbe9574f53eec8f506
parent: ff6f7fd517d4bc5b64842a24df2fddc47074a402
author: Sigrid Solveig Haflínudóttir <[email protected]>
date: Wed Mar 6 12:34:43 EST 2024
flac: ignore tags of nonsensical sizes
--- a/flac.c
+++ b/flac.c
@@ -32,7 +32,8 @@
if(ctx->read(ctx, d, 4) != 4)
return -1;
- sz = beu3(&d[1]);
+ if((sz = beu3(&d[1])) < 0)
+ return -1;
if((d[0] & 0x80) != 0)
last = 1;
@@ -40,12 +41,12 @@
int n, offset;
char *mime;
- if(sz < 16 || ctx->read(ctx, d, 8) != 8) /* type, mime length */
+ if(sz < 8+4+20 || ctx->read(ctx, d, 8) != 8) /* type, mime length */
return -1;
sz -= 8;
n = beuint(&d[4]);
mime = ctx->buf+20;
- if(n >= sz || n >= ctx->bufsz-20 || ctx->read(ctx, mime, n) != n)
+ if(n < 0 || n >= sz-4-20 || n >= ctx->bufsz-20 || ctx->read(ctx, mime, n) != n)
return -1;
sz -= n;
mime[n] = 0;
@@ -54,8 +55,10 @@
offset = beuint(d) + ctx->seek(ctx, 0, 1) + 20;
ctx->read(ctx, d, 20);
sz -= 20;
- n = beuint(&d[16]);
- tagscallcb(ctx, Timage, "", mime, offset, n, nil);
+ if((n = beuint(&d[16])) < 0)
+ return -1;
+ if(n > 0)
+ tagscallcb(ctx, Timage, "", mime, offset, n, nil);
if(ctx->seek(ctx, sz, 1) <= 0)
return -1;
}else if((d[0] & 0x7f) == 4){ /* 4 = vorbis comment */