Browse files

Mozilla 520500, Mozilla 521863

Don't reject files with vorbis comments with name or
values of length 0.

Patch by Chris Pearce
  • Loading branch information...
1 parent 12e315f commit ac2015dbd72d59208a482de5b0e69e74774e7987 @kfish committed Oct 17, 2009
Showing with 63 additions and 57 deletions.
  1. +63 −57 src/libfishsound/comments.c
View
120 src/libfishsound/comments.c
@@ -424,33 +424,33 @@ int
fish_sound_comments_decode (FishSound * fsound, unsigned char * comments,
long length)
{
- char *c= (char *)comments;
- int i, nb_fields, n;
- size_t len;
- char *end;
- char * name, * value, * nvalue = NULL;
- FishSoundComment * comment;
-
- if (length<8)
- return -1;
-
- end = c+length;
- len=readint(c, 0);
+ char *c= (char *)comments;
+ int i, nb_fields, n;
+ size_t len;
+ char *end;
+ char * name, * value, * nvalue = NULL;
+ FishSoundComment * comment;
- c+=4;
- if (len > (unsigned long) length - 4) return -1;
-
- /* Vendor */
- if (len > 0) {
- if ((nvalue = fs_strdup_len (c, len)) == NULL)
- return FISH_SOUND_ERR_OUT_OF_MEMORY;
- if (fish_sound_comment_set_vendor (fsound, nvalue) == FISH_SOUND_ERR_OUT_OF_MEMORY) {
- fs_free (nvalue);
- return FISH_SOUND_ERR_OUT_OF_MEMORY;
- }
+ if (length<8)
+ return -1;
+
+ end = c+length;
+ len=readint(c, 0);
+
+ c+=4;
+ if (len > (unsigned long) length - 4) return -1;
- fs_free (nvalue);
- }
+ /* Vendor */
+ if (len > 0) {
+ if ((nvalue = fs_strdup_len (c, len)) == NULL)
+ return FISH_SOUND_ERR_OUT_OF_MEMORY;
+ if (fish_sound_comment_set_vendor (fsound, nvalue) == FISH_SOUND_ERR_OUT_OF_MEMORY) {
+ fs_free (nvalue);
+ return FISH_SOUND_ERR_OUT_OF_MEMORY;
+ }
+
+ fs_free (nvalue);
+ }
#ifdef DEBUG
fwrite(c, 1, len, stderr); fputc ('\n', stderr);
#endif
@@ -474,54 +474,60 @@ fish_sound_comments_decode (FishSound * fsound, unsigned char * comments,
c+=4;
if (len > (unsigned long) (end-c)) return -1;
- name = c;
- value = fs_index_len (c, '=', len);
- if (value) {
- *value = '\0';
- value++;
+ name = c;
+ value = fs_index_len (c, '=', len);
+ if (value) {
+ *value = '\0';
+ value++;
+ nvalue = 0;
+ n = c+len - value;
+ }
+ if (n) {
+ *value = '\0';
+ value++;
n = c+len - value;
if ((nvalue = fs_strdup_len (value, n)) == NULL)
return FISH_SOUND_ERR_OUT_OF_MEMORY;
debug_printf (1, "%s -> %s (length %d)", name, nvalue, n);
- if ((comment = fs_comment_new (name, nvalue)) == NULL) {
- fs_free (nvalue);
- return FISH_SOUND_ERR_OUT_OF_MEMORY;
- }
-
- if (_fs_comment_add (fsound, comment) == NULL) {
- fs_free (nvalue);
- return FISH_SOUND_ERR_OUT_OF_MEMORY;
- }
+ if ((comment = fs_comment_new (name, nvalue)) == NULL) {
+ fs_free (nvalue);
+ return FISH_SOUND_ERR_OUT_OF_MEMORY;
+ }
- fs_free (nvalue);
- } else {
- debug_printf (1, "[%d] %s (no value)", i, name, len);
+ if (_fs_comment_add (fsound, comment) == NULL) {
+ fs_free (nvalue);
+ return FISH_SOUND_ERR_OUT_OF_MEMORY;
+ }
- if ((nvalue = fs_strdup_len (name, len)) == NULL)
- return FISH_SOUND_ERR_OUT_OF_MEMORY;
+ fs_free (nvalue);
+ } else {
+ debug_printf (1, "[%d] %s (no value)", i, name, len);
- if ((comment = fs_comment_new (nvalue, NULL)) == NULL) {
- fs_free (nvalue);
- return FISH_SOUND_ERR_OUT_OF_MEMORY;
- }
+ if ((nvalue = fs_strdup_len (name, len)) == NULL)
+ return FISH_SOUND_ERR_OUT_OF_MEMORY;
- if (_fs_comment_add (fsound, comment) == NULL) {
- fs_free (nvalue);
- return FISH_SOUND_ERR_OUT_OF_MEMORY;
- }
+ if ((comment = fs_comment_new (nvalue, "")) == NULL) {
+ fs_free (nvalue);
+ return FISH_SOUND_ERR_OUT_OF_MEMORY;
+ }
- fs_free (nvalue);
+ if (_fs_comment_add (fsound, comment) == NULL) {
+ fs_free (nvalue);
+ return FISH_SOUND_ERR_OUT_OF_MEMORY;
}
- c+=len;
- }
+ fs_free (nvalue);
+ }
- debug_printf (1, "OUT");
+ c+=len;
+ }
- return FISH_SOUND_OK;
+ debug_printf (1, "OUT");
+
+ return FISH_SOUND_OK;
}
/*

0 comments on commit ac2015d

Please sign in to comment.