ref: a2dc55b11af2a516fef397f8af0f49d041b932f0
parent: 7532a6a2fe10b954163cb82f2151222226e4a5b3
author: Michael Forney <[email protected]>
date: Thu Feb 11 00:17:23 EST 2021
[PATCH libtags] flac: handle vorbis comments with no fields In this case, sz is exactly vensz+4, and numtags is 0. Also, subtract vensz from sz after we skip past it so that the subsequent range checks are correct.
--- a/flac.c
+++ b/flac.c
@@ -64,12 +64,12 @@
sz -= 4;
vensz = leuint(d);
- if(vensz < 0 || vensz > sz-8)
+ if(vensz < 0 || vensz > sz-4)
return -1;
/* skip vendor, read the number of tags */
if(ctx->seek(ctx, vensz, 1) < 0 || ctx->read(ctx, d, 4) != 4)
return -1;
- sz -= 4;
+ sz -= vensz + 4;
numtags = leuint(d);
for(i = 0; i < numtags && sz > 4; i++){