mirror/taglib
1
0
Fork 0
mirror of https://github.com/taglib/taglib.git synced 2026-02-12 19:23:02 -05:00
Code Issues Packages Projects Releases Wiki Activity

Check the packet size to fix a segfault error while parsing fuzzed MPC files.

Browse Source
This commit is contained in:
Tsuda Kageyu
2015-01-08 12:49:33 +09:00
parent 65664e6855
commit 829ae2112a
3 changed files with 28 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

21
taglib/mpc/mpcproperties.cpp
View File

@ -206,13 +206,28 @@ void MPC::Properties::readSV8(File *file)
if(packetType == "SH") {
// Stream Header
// http://trac.musepack.net/wiki/SV8Specification#StreamHeaderPacket
if(dataSize <= 5) {
debug("MPC::Properties::readSV8() - \"SH\" packet is too short to parse.");
break;
}
readSH = true;
TagLib::uint pos = 4;
d->version = data[pos];
pos += 1;
d->sampleFrames = readSize(data.mid(pos), pos);
if(pos > dataSize - 3) {
debug("MPC::Properties::readSV8() - \"SH\" packet is corrupt.");
break;
}
ulong begSilence = readSize(data.mid(pos), pos);
if(pos > dataSize - 2) {
debug("MPC::Properties::readSV8() - \"SH\" packet is corrupt.");
break;
}
const ushort flags = data.toUShort(pos, true);
pos += 2;
@ -230,6 +245,12 @@ void MPC::Properties::readSV8(File *file)
else if (packetType == "RG") {
// Replay Gain
// http://trac.musepack.net/wiki/SV8Specification#ReplaygainPacket
if(dataSize <= 9) {
debug("MPC::Properties::readSV8() - \"RG\" packet is too short to parse.");
break;
}
readRG = true;
int replayGainVersion = data[0];