From f2eb33169649b3b3a9a97bf8f51c4d3f774bfb4e Mon Sep 17 00:00:00 2001 From: bobsayshilol Date: Sat, 24 Apr 2021 17:03:28 +0100 Subject: [PATCH] MPC: Fix heap-buffer-overflow in readSV7() If `data` is an allocation of only 3 bytes (MP+) then `data[3]` is a read past the end of the buffer. --- taglib/mpc/mpcproperties.cpp | 3 +++ 1 file changed, 3 insertions(+) diff --git a/taglib/mpc/mpcproperties.cpp b/taglib/mpc/mpcproperties.cpp index 21de6d49..1e1e4b7c 100644 --- a/taglib/mpc/mpcproperties.cpp +++ b/taglib/mpc/mpcproperties.cpp @@ -298,6 +298,9 @@ void MPC::Properties::readSV8(File *file, long streamLength) void MPC::Properties::readSV7(const ByteVector &data, long streamLength) { if(data.startsWith("MP+")) { + if(data.size() < 4) + return; + d->version = data[3] & 15; if(d->version < 7) return;