From d74689cb93f99d90c9fc2f03eef4fe6afc20e856 Mon Sep 17 00:00:00 2001
From: bobsayshilol <bobsayshilol@live.co.uk>
Date: Sun, 25 Apr 2021 13:20:55 +0100
Subject: [PATCH] ASF: Bounds check the size of each header object

UBSan spotted an integer overflow on the line `dataPos += size`, so add
a bounds check to the size that we read.
---
 taglib/asf/asffile.cpp | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/taglib/asf/asffile.cpp b/taglib/asf/asffile.cpp
index fd754803..0e845d8a 100644
--- a/taglib/asf/asffile.cpp
+++ b/taglib/asf/asffile.cpp
@@ -384,7 +384,7 @@ void ASF::File::FilePrivate::HeaderExtensionObject::parse(ASF::File *file, unsig
     }
     bool ok;
     long long size = readQWORD(file, &ok);
-    if(!ok) {
+    if(!ok || size < 0 || size > dataSize - dataPos) {
       file->setValid(false);
       break;
     }