From 2513aa5ea20bc9b84e394a212b1eb62c47714ae7 Mon Sep 17 00:00:00 2001 From: theuni Date: Thu, 28 Oct 2010 15:58:36 +0000 Subject: [PATCH] fixed: don't segfault on corrupt vorbiscomments in flac files (cherry picked from commit c4cded5a6c8724369703d797c8524b8cc31d4522) git-svn-id: https://xbmc.svn.sourceforge.net/svnroot/xbmc/branches/Dharma@35058 568bbfeb-2a22-0410-94d2-cc84cf5bfa90 --- xbmc/FlacTag.cpp | 9 +++++++-- xbmc/FlacTag.h | 2 +- 2 files changed, 8 insertions(+), 3 deletions(-) diff --git a/xbmc/FlacTag.cpp b/xbmc/FlacTag.cpp index 5f1e510094056..6483baa6e824a 100644 --- a/xbmc/FlacTag.cpp +++ b/xbmc/FlacTag.cpp @@ -83,7 +83,7 @@ bool CFlacTag::Read(const CStdString& strFile) { m_file->Read((void*)tag, size); // Process this tag info - ProcessVorbisComment(tag); + ProcessVorbisComment(tag,size); foundTag = true; delete[] tag; } @@ -210,7 +210,7 @@ int CFlacTag::FindFlacHeader(void) return 0; } -void CFlacTag::ProcessVorbisComment(const char *pBuffer) +void CFlacTag::ProcessVorbisComment(const char *pBuffer, size_t bufsize) { unsigned int Pos = 0; // position in the buffer unsigned int I1 = Endian_SwapLE32(*(unsigned int*)(pBuffer + Pos)); // length of vendor string @@ -220,6 +220,11 @@ void CFlacTag::ProcessVorbisComment(const char *pBuffer) char C1[CHUNK_SIZE]; for (unsigned int I2 = 0; I2 < Count; I2++) // Run through the comments { + if (Pos >= bufsize) + { + CLog::Log(LOGWARNING,"flac tag overflow"); + return; + } I1 = Endian_SwapLE32(*(unsigned int*)(pBuffer + Pos)); // Length of comment if (I1 < CHUNK_SIZE) { diff --git a/xbmc/FlacTag.h b/xbmc/FlacTag.h index 75144964ba8da..fba0ebbe1536f 100644 --- a/xbmc/FlacTag.h +++ b/xbmc/FlacTag.h @@ -41,7 +41,7 @@ class CFlacTag : public CVorbisTag protected: XFILE::CFile* m_file; - void ProcessVorbisComment(const char *pBuffer); + void ProcessVorbisComment(const char *pBuffer, size_t bufsize); int ReadFlacHeader(void); // returns the position after the STREAM_INFO metadata int FindFlacHeader(void); // returns the offset in the file of the fLaC data unsigned int ReadUnsigned(); // reads a 32 bit unsigned int