mirror/taglib
1
0
Fork 0
mirror of https://github.com/taglib/taglib.git synced 2025-05-27 21:20:26 -04:00
Code Issues Packages Projects Releases Wiki Activity

APE: Bounds check the length of values

Browse Source 
`pos`, `valLegnth`, and `data.size()` are all unsigned types so we have
to do a little dance to correctly bounds check them without overflow.

Without this we can get stuck in an infinite loop due to 'pos'
overflowing back to the start of the data.
This commit is contained in:
bobsayshilol 2021-04-24 16:39:39 +01:00 committed by Urs Fleisch
parent 1d3e080f04
commit 03d03f782e
1 changed files with 5 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
taglib/ape/apetag.cpp
View File

@ -421,6 +421,11 @@ void APE::Tag::parse(const ByteVector &data)
const unsigned int keyLength = nullPos - pos - 8;
const unsigned int valLegnth = data.toUInt(pos, false);
if(valLegnth >= data.size() || pos > data.size() - valLegnth) {
debug("APE::Tag::parse() - Invalid val length. Stopped parsing.");
return;
}
if(keyLength >= MinKeyLength
&& keyLength <= MaxKeyLength
&& isKeyValid(data.mid(pos + 8, keyLength)))