ASF: Bounds check the size of each header object

UBSan spotted an integer overflow on the line `dataPos += size`, so add a bounds check to the size that we read.
2025-06-03 09:08:09 -04:00 · 2021-04-25 13:20:55 +01:00 · 2021-04-25 13:20:55 +01:00 · d74689cb93
commit d74689cb93
parent 51ae5748cb
1 changed files with 1 additions and 1 deletions
--- a/taglib/asf/asffile.cpp
+++ b/taglib/asf/asffile.cpp
@ -384,7 +384,7 @@ void ASF::File::FilePrivate::HeaderExtensionObject::parse(ASF::File *file, unsig
    }
    bool ok;
    long long size = readQWORD(file, &ok);
-    if(!ok) {
+    if(!ok || size < 0 || size > dataSize - dataPos) {
      file->setValid(false);
      break;
    }