From 03d03f782ee98b72d39e8164367bdf5bfd4a0872 Mon Sep 17 00:00:00 2001
From: bobsayshilol <bobsayshilol@live.co.uk>
Date: Sat, 24 Apr 2021 16:39:39 +0100
Subject: [PATCH] APE: Bounds check the length of values

`pos`, `valLegnth`, and `data.size()` are all unsigned types so we have
to do a little dance to correctly bounds check them without overflow.

Without this we can get stuck in an infinite loop due to 'pos'
overflowing back to the start of the data.
---
 taglib/ape/apetag.cpp | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/taglib/ape/apetag.cpp b/taglib/ape/apetag.cpp
index a2bdaeed..6fa9f05a 100644
--- a/taglib/ape/apetag.cpp
+++ b/taglib/ape/apetag.cpp
@@ -421,6 +421,11 @@ void APE::Tag::parse(const ByteVector &data)
     const unsigned int keyLength = nullPos - pos - 8;
     const unsigned int valLegnth = data.toUInt(pos, false);
 
+    if(valLegnth >= data.size() || pos > data.size() - valLegnth) {
+      debug("APE::Tag::parse() - Invalid val length. Stopped parsing.");
+      return;
+    }
+
     if(keyLength >= MinKeyLength
       && keyLength <= MaxKeyLength
       && isKeyValid(data.mid(pos + 8, keyLength)))