calculate
/
gentoo-overlay
7
1
Fork 0
Code Issues Pull Requests Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'e492379eb0'
${ noResults }
gentoo-overlay/media-sound/mp3gain/files/mp3gain-1.6.1-CVE-2017-1291...

77 lines
2.7 KiB
Raw Blame History

--- a/apetag.c
+++ b/apetag.c
@@ -49,6 +49,12 @@
static int Lyrics3GetNumber6 ( const unsigned char* string )
{
+ if (string[0] < '0' || string[0] > '9') return 0;
+ if (string[1] < '0' || string[1] > '9') return 0;
+ if (string[2] < '0' || string[2] > '9') return 0;
+ if (string[3] < '0' || string[3] > '9') return 0;
+ if (string[4] < '0' || string[4] > '9') return 0;
+ if (string[5] < '0' || string[5] > '9') return 0;
return ( string[0] - '0') * 100000 +
( string[1] - '0') * 10000 +
( string[2] - '0') * 1000 +
@@ -86,12 +92,14 @@
free(*id3tagbuff);
*id3tagbuff = (unsigned char *)malloc(128);
memcpy(*id3tagbuff,tmpid3,128);
+ if ( *tag_offset < (128 + (long)(sizeof(T))) ) return 0;
if ( fseek (fp, *tag_offset - 128 - sizeof (T), SEEK_SET) ) return 0;
if ( fread (&T, 1, sizeof (T), fp) != sizeof (T) ) return 0;
// check for lyrics3 v2.00 tag
if ( memcmp (T.ID, "LYRICS200", sizeof (T.ID)) ) return 0;
len = Lyrics3GetNumber6 (T.Length);
- if ( fseek (fp, *tag_offset - 128 - (int)sizeof (T) - len, SEEK_SET) ) return 0;
+ if (*tag_offset < (128 + (long)(sizeof(T)) + len)) return 0;
+ if ( fseek (fp, *tag_offset - 128 - (long)sizeof (T) - len, SEEK_SET) ) return 0;
if ( fread (tmp, 1, 11, fp) != 11 ) return 0;
if ( memcmp (tmp, "LYRICSBEGIN", 11) ) return 0;
@@ -167,6 +175,7 @@
Ver = Read_LE_Uint32 (T.Version);
if ( (Ver != 1000) && (Ver != 2000) ) return 0;
if ( (TagLen = Read_LE_Uint32 (T.Length)) < sizeof (T) ) return 0;
+ if (*tag_offset < TagLen) return 0;
if ( fseek (fp, *tag_offset - TagLen, SEEK_SET) ) return 0;
buff = (char *)malloc (TagLen);
if ( fread (buff, 1, TagLen - sizeof (T), fp) != (TagLen - sizeof (T)) ) {
@@ -285,6 +294,7 @@
(*apeTag)->originalTagSize = TagLen;
if ( Read_LE_Uint32 (T.Flags) & (1<<31) ) { // Tag contains header
+ if (*tag_offset < (long)(sizeof(T))) return 0;
*tag_offset -= sizeof (T);
fseek (fp, *tag_offset, SEEK_SET);
@@ -355,14 +365,14 @@
*/
int ReadMP3GainAPETag (char *filename, struct MP3GainTagInfo *info, struct FileTagsStruct *fileTags) {
FILE *fi;
- long tag_offset, offs_bk;
+ long tag_offset, offs_bk, file_size;
fi = fopen(filename, "rb");
if (fi == NULL)
return 0;
fseek(fi, 0, SEEK_END);
- tag_offset = ftell(fi);
+ tag_offset = file_size = ftell(fi);
fileTags->lyrics3TagSize = 0;
@@ -373,7 +383,11 @@
ReadMP3ID3v1Tag ( fi, &(fileTags->id31tag), &tag_offset );
} while ( offs_bk != tag_offset );
- fileTags->tagOffset = tag_offset;
+ if (tag_offset >= 0 && tag_offset <= file_size) {
+ fileTags->tagOffset = tag_offset;
+ } else { //Corrupt tag information, simply default to end-of-file
+ fileTags->tagOffset = file_size;
+ }
fclose(fi);
Reference in new issue View Git Blame Copy Permalink