Changelog

https://bugs.kde.org/show_bug.cgi?id=278773

CMakeLists.txt

@@ -40,7 +40,7 @@ endif (WIN32)
 
 SET(TAGLIB_LIB_MAJOR_VERSION "1")
 SET(TAGLIB_LIB_MINOR_VERSION "7")
-SET(TAGLIB_LIB_PATCH_VERSION "0")
+SET(TAGLIB_LIB_PATCH_VERSION "2")
 
 SET(TAGLIB_LIB_VERSION_STRING "${TAGLIB_LIB_MAJOR_VERSION}.${TAGLIB_LIB_MINOR_VERSION}.${TAGLIB_LIB_PATCH_VERSION}")
 

NEWS

@@ -1,3 +1,24 @@
+TagLib 1.7.3 (Jul 12, 2012)
+===========================
+
+ * Fixed crash when parsing ID3v2 tags from APE files (BUG:278773).
+
+TagLib 1.7.2 (Apr 20, 2012)
+===========================
+
+ * Fixed division by zero while parsing corrupted MP4 files (CVE-2012-2396).
+ * Fixed compilation on Haiku.
+
+TagLib 1.7.1 (Mar 17, 2012)
+===========================
+
+ * Improved parsing of corrupted WMA, RIFF and OGG files.
+ * Fixed a memory leak in the WMA parser.
+ * Fixed a memory leak in the FLAC parser.
+ * Fixed a possible division by zero in the APE parser.
+ * Added detection of TTA2 files.
+ * Fixed saving of multiple identically named tags to Vorbis Comments.
+
 TagLib 1.7 (Mar 11, 2011)
 =========================
 

taglib/ape/apefooter.cpp

@@ -24,7 +24,7 @@
  *   http://www.mozilla.org/MPL/                                           *
  ***************************************************************************/
 
-#include <ostream>
+#include <iostream>
 #include <bitset>
 
 #include <tstring.h>

taglib/ape/apeproperties.cpp

@@ -137,7 +137,7 @@ long APE::Properties::findDescriptor()
   long ID3v2OriginalSize = 0;
   bool hasID3v2 = false;
   if(ID3v2Location >= 0) {
-    ID3v2::Tag tag(d->file, ID3v2Location, 0);
+    ID3v2::Tag tag(d->file, ID3v2Location);
     ID3v2OriginalSize = tag.header()->completeTagSize();
     if(tag.header()->tagSize() > 0)
       hasID3v2 = true;
@@ -193,7 +193,7 @@ void APE::Properties::analyzeCurrent()
   uint blocksPerFrame = header.mid(4, 4).toUInt(false);
   uint finalFrameBlocks = header.mid(8, 4).toUInt(false);
   uint totalBlocks = totalFrames > 0 ? (totalFrames -  1) * blocksPerFrame + finalFrameBlocks : 0;
-  d->length = totalBlocks / d->sampleRate;
+  d->length = d->sampleRate > 0 ? totalBlocks / d->sampleRate : 0;
   d->bitrate = d->length > 0 ? ((d->streamLength * 8L) / d->length) / 1000 : 0;
 }
 

taglib/asf/asffile.cpp

@@ -141,11 +141,19 @@ class ASF::File::HeaderExtensionObject : public ASF::File::BaseObject
 {
 public:
   List<ASF::File::BaseObject *> objects;
+  ~HeaderExtensionObject();
   ByteVector guid();
   void parse(ASF::File *file, uint size);
   ByteVector render(ASF::File *file);
 };
 
+ASF::File::HeaderExtensionObject::~HeaderExtensionObject()
+{
+  for(unsigned int i = 0; i < objects.size(); i++) {
+    delete objects[i];
+  }
+}
+
 void ASF::File::BaseObject::parse(ASF::File *file, unsigned int size)
 {
   data.clear();

taglib/flac/flacfile.cpp

@@ -161,10 +161,12 @@ bool FLAC::File::save()
     MetadataBlock *block = d->blocks[i];
     if(block->code() == MetadataBlock::VorbisComment) {
       // Set the new Vorbis Comment block
+      delete block;
       block = new UnknownMetadataBlock(MetadataBlock::VorbisComment, d->xiphCommentData);
       foundVorbisCommentBlock = true;
     }
     if(block->code() == MetadataBlock::Padding) {
+      delete block;
       continue;
     }
     newBlocks.append(block);
@@ -190,7 +192,7 @@ bool FLAC::File::save()
   // Adjust the padding block(s)
 
   long originalLength = d->streamStart - d->flacStart;
-  int paddingLength = originalLength - data.size() - 4; 
+  int paddingLength = originalLength - data.size() - 4;
   if (paddingLength < 0) {
     paddingLength = MinPaddingLength;
   }

taglib/mp4/mp4properties.cpp

@@ -91,15 +91,24 @@ MP4::Properties::Properties(File *file, MP4::Atoms *atoms, ReadStyle style)
 
   file->seek(mdhd->offset);
   data = file->readBlock(mdhd->length);
-  if(data[8] == 0) {
-    unsigned int unit = data.mid(20, 4).toUInt();
-    unsigned int length = data.mid(24, 4).toUInt();
-    d->length = length / unit;
-  }
-  else {
+  uint version = data[8];
+  if(version == 1) {
+    if (data.size() < 36 + 8) {
+      debug("MP4: Atom 'trak.mdia.mdhd' is smaller than expected");
+      return;
+    }
     long long unit = data.mid(28, 8).toLongLong();
     long long length = data.mid(36, 8).toLongLong();
-    d->length = int(length / unit);
+    d->length = unit ? int(length / unit) : 0;
+  }
+  else {
+    if (data.size() < 24 + 4) {
+      debug("MP4: Atom 'trak.mdia.mdhd' is smaller than expected");
+      return;
+    }
+    unsigned int unit = data.mid(20, 4).toUInt();
+    unsigned int length = data.mid(24, 4).toUInt();
+    d->length = unit ? length / unit : 0;
   }
 
   MP4::Atom *atom = trak->find("mdia", "minf", "stbl", "stsd");

taglib/mpeg/id3v2/id3v2header.cpp

@@ -23,7 +23,7 @@
  *   http://www.mozilla.org/MPL/                                           *
  ***************************************************************************/
 
-#include <ostream>
+#include <iostream>
 #include <bitset>
 
 #include <tstring.h>

taglib/mpeg/id3v2/id3v2synchdata.cpp

@@ -23,7 +23,7 @@
  *   http://www.mozilla.org/MPL/                                           *
  ***************************************************************************/
 
-#include <ostream>
+#include <iostream>
 
 #include "id3v2synchdata.h"
 

taglib/ogg/xiphcomment.cpp

@@ -287,7 +287,7 @@ void Ogg::XiphComment::parse(const ByteVector &data)
 
   int pos = 0;
 
-  int vendorLength = data.mid(0, 4).toUInt(false);
+  uint vendorLength = data.mid(0, 4).toUInt(false);
   pos += 4;
 
   d->vendorID = String(data.mid(pos, vendorLength), String::UTF8);
@@ -295,21 +295,31 @@ void Ogg::XiphComment::parse(const ByteVector &data)
 
   // Next the number of fields in the comment vector.
 
-  int commentFields = data.mid(pos, 4).toUInt(false);
+  uint commentFields = data.mid(pos, 4).toUInt(false);
   pos += 4;
 
-  for(int i = 0; i < commentFields; i++) {
+  if(commentFields > (data.size() - 8) / 4) {
+    return;
+  }
+
+  for(uint i = 0; i < commentFields; i++) {
 
     // Each comment field is in the format "KEY=value" in a UTF8 string and has
     // 4 bytes before the text starts that gives the length.
 
-    int commentLength = data.mid(pos, 4).toUInt(false);
+    uint commentLength = data.mid(pos, 4).toUInt(false);
     pos += 4;
 
     String comment = String(data.mid(pos, commentLength), String::UTF8);
     pos += commentLength;
+    if(pos > data.size()) {
+      break;
+    }
 
     int commentSeparatorPosition = comment.find("=");
+    if(commentSeparatorPosition == -1) {
+      break;
+    }
 
     String key = comment.substr(0, commentSeparatorPosition);
     String value = comment.substr(commentSeparatorPosition + 1);

taglib/riff/aiff/aifffile.cpp

@@ -87,6 +87,11 @@ bool RIFF::AIFF::File::save()
     return false;
   }
 
+  if(!isValid()) {
+    debug("RIFF::AIFF::File::save() -- Trying to save invalid file.");
+    return false;
+  }
+
   setChunkData(d->tagChunkID, d->tag->render());
 
   return true;

taglib/riff/aiff/aiffproperties.cpp

@@ -149,5 +149,5 @@ void RIFF::AIFF::Properties::read(const ByteVector &data)
   double sampleRate = ConvertFromIeeeExtended(reinterpret_cast<unsigned char *>(data.mid(8, 10).data()));
   d->sampleRate     = sampleRate;
   d->bitrate        = (sampleRate * d->sampleWidth * d->channels) / 1000.0;
-  d->length         = sampleFrames / d->sampleRate;
+  d->length         = d->sampleRate > 0 ? sampleFrames / d->sampleRate : 0;
 }

taglib/riff/rifffile.cpp

@@ -194,6 +194,19 @@ void RIFF::File::setChunkData(const ByteVector &name, const ByteVector &data)
 // private members
 ////////////////////////////////////////////////////////////////////////////////
 
+static bool isValidChunkID(const ByteVector &name)
+{
+  if(name.size() != 4) {
+    return false;
+  }
+  for(int i = 0; i < 4; i++) {
+    if(name[i] < 32 || name[i] > 127) {
+      return false;
+    }
+  }
+  return true;
+}
+
 void RIFF::File::read()
 {
   bool bigEndian = (d->endianness == BigEndian);
@@ -207,8 +220,15 @@ void RIFF::File::read()
     ByteVector chunkName = readBlock(4);
     uint chunkSize = readBlock(4).toUInt(bigEndian);
 
+    if(!isValidChunkID(chunkName)) {
+      debug("RIFF::File::read() -- Chunk '" + chunkName + "' has invalid ID");
+      setValid(false);
+      break;
+    }
+
     if(tell() + chunkSize > uint(length())) {
-      // something wrong
+      debug("RIFF::File::read() -- Chunk '" + chunkName + "' has invalid size (larger than the file size)");
+      setValid(false);
       break;
     }
 

taglib/riff/wav/wavfile.cpp

@@ -87,6 +87,11 @@ bool RIFF::WAV::File::save()
     return false;
   }
 
+  if(!isValid()) {
+    debug("RIFF::WAV::File::save() -- Trying to save invalid file.");
+    return false;
+  }
+
   setChunkData(d->tagChunkID, d->tag->render());
 
   return true;

taglib/toolkit/tbytevector.cpp

@@ -23,7 +23,7 @@
  *   http://www.mozilla.org/MPL/                                           *
  ***************************************************************************/
 
-#include <ostream>
+#include <iostream>
 
 #include <tstring.h>
 #include <tdebug.h>
@@ -363,7 +363,7 @@ ByteVector ByteVector::mid(uint index, uint length) const
 
   ConstIterator endIt;
 
-  if(length < 0xffffffff && length + index < size())
+  if(length < size() - index)
     endIt = d->data.begin() + index + length;
   else
     endIt = d->data.end();

taglib/toolkit/tbytevector.h

@@ -30,7 +30,7 @@
 #include "taglib_export.h"
 
 #include <vector>
-#include <ostream>
+#include <iostream>
 
 namespace TagLib {
 

taglib/toolkit/tstring.cpp

@@ -27,7 +27,7 @@
 #include "unicode.h"
 #include "tdebug.h"
 
-#include <ostream>
+#include <iostream>
 
 #include <string.h>
 

taglib/toolkit/tstring.h

@@ -31,7 +31,7 @@
 #include "tbytevector.h"
 
 #include <string>
-#include <ostream>
+#include <iostream>
 
 /*!
  * \relates TagLib::String

taglib/toolkit/tstringlist.h

@@ -31,7 +31,7 @@
 #include "tbytevectorlist.h"
 #include "taglib_export.h"
 
-#include <ostream>
+#include <iostream>
 
 namespace TagLib {
 

taglib/trueaudio/trueaudioproperties.cpp

@@ -118,19 +118,26 @@ void TrueAudio::Properties::read()
   int pos = 3;
 
   d->version = d->data[pos] - '0';
-  pos += 1 + 2;
+  pos += 1;
 
-  d->channels = d->data.mid(pos, 2).toShort(false);
-  pos += 2;
+  // According to http://en.true-audio.com/TTA_Lossless_Audio_Codec_-_Format_Description
+  // TTA2 headers are in development, and have a different format
+  if(1 == d->version) {
+    // Skip the audio format
+    pos += 2;
 
-  d->bitsPerSample = d->data.mid(pos, 2).toShort(false);
-  pos += 2;
+    d->channels = d->data.mid(pos, 2).toShort(false);
+    pos += 2;
 
-  d->sampleRate = d->data.mid(pos, 4).toUInt(false);
-  pos += 4;
+    d->bitsPerSample = d->data.mid(pos, 2).toShort(false);
+    pos += 2;
 
-  unsigned long samples = d->data.mid(pos, 4).toUInt(false);
-  d->length = samples / d->sampleRate;
+    d->sampleRate = d->data.mid(pos, 4).toUInt(false);
+    pos += 4;
 
-  d->bitrate = d->length > 0 ? ((d->streamLength * 8L) / d->length) / 1000 : 0;
+    uint sampleFrames = d->data.mid(pos, 4).toUInt(false);
+    d->length = d->sampleRate > 0 ? sampleFrames / d->sampleRate : 0;
+
+    d->bitrate = d->length > 0 ? ((d->streamLength * 8L) / d->length) / 1000 : 0;
+  }
 }

tests/test_wav.cpp

@@ -13,6 +13,7 @@ class TestWAV : public CppUnit::TestFixture
 {
   CPPUNIT_TEST_SUITE(TestWAV);
   CPPUNIT_TEST(testLength);
+  CPPUNIT_TEST(testZeroSizeDataChunk);
   CPPUNIT_TEST_SUITE_END();
 
 public:
@@ -20,9 +21,16 @@ public:
   void testLength()
   {
     RIFF::WAV::File f("data/empty.wav");
+    CPPUNIT_ASSERT_EQUAL(true, f.isValid());
     CPPUNIT_ASSERT_EQUAL(3, f.audioProperties()->length());
   }
 
+  void testZeroSizeDataChunk()
+  {
+    RIFF::WAV::File f("data/zero-size-chunk.wav");
+    CPPUNIT_ASSERT_EQUAL(false, f.isValid());
+  }
+
 };
 
 CPPUNIT_TEST_SUITE_REGISTRATION(TestWAV);