From 4382e84e9ef662c1929783db48047484b7c6cbb9 Mon Sep 17 00:00:00 2001 From: Scott Wheeler Date: Tue, 13 Feb 2007 09:26:31 +0000 Subject: [PATCH] Add another sanity check -- don't let invalid frames try to allocate anything larger than the tag size. BUG:140515 git-svn-id: svn://anonsvn.kde.org/home/kde/trunk/kdesupport/taglib@633123 283d02a7-25f6-0310-bc7c-ecb5cbfe19da --- taglib/mpeg/id3v2/id3v2framefactory.cpp | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/taglib/mpeg/id3v2/id3v2framefactory.cpp b/taglib/mpeg/id3v2/id3v2framefactory.cpp index 91e365fd..983e5a48 100644 --- a/taglib/mpeg/id3v2/id3v2framefactory.cpp +++ b/taglib/mpeg/id3v2/id3v2framefactory.cpp @@ -73,7 +73,10 @@ Frame *FrameFactory::createFrame(const ByteVector &data, uint version) const // A quick sanity check -- make sure that the frameID is 4 uppercase Latin1 // characters. Also make sure that there is data in the frame. - if(!frameID.size() == (version < 3 ? 3 : 4) || header->frameSize() <= 0) { + if(!frameID.size() == (version < 3 ? 3 : 4) || + header->frameSize() <= 0 || + header->frameSize() > data.size()) + { delete header; return 0; }