Skip to content
This repository
Browse code

Be more careful when parsing Vorbis Comments

  • Loading branch information...
commit b3646a07348ffa276ea41a9dae03ddc63ea6c532 1 parent 8ed9b0d
authored June 09, 2011 lalinsky committed June 09, 2011

Showing 1 changed file with 13 additions and 3 deletions. Show diff stats Hide diff stats

  1. 16  taglib/ogg/xiphcomment.cpp
16  taglib/ogg/xiphcomment.cpp
@@ -295,21 +295,31 @@ void Ogg::XiphComment::parse(const ByteVector &data)
295 295
 
296 296
   // Next the number of fields in the comment vector.
297 297
 
298  
-  int commentFields = data.mid(pos, 4).toUInt(false);
  298
+  uint commentFields = data.mid(pos, 4).toUInt(false);
299 299
   pos += 4;
300 300
 
301  
-  for(int i = 0; i < commentFields; i++) {
  301
+  if(commentFields > (data.size() - 8) / 4) {
  302
+    return;
  303
+  }
  304
+
  305
+  for(uint i = 0; i < commentFields; i++) {
302 306
 
303 307
     // Each comment field is in the format "KEY=value" in a UTF8 string and has
304 308
     // 4 bytes before the text starts that gives the length.
305 309
 
306  
-    int commentLength = data.mid(pos, 4).toUInt(false);
  310
+    uint commentLength = data.mid(pos, 4).toUInt(false);
307 311
     pos += 4;
308 312
 
309 313
     String comment = String(data.mid(pos, commentLength), String::UTF8);
310 314
     pos += commentLength;
  315
+    if(pos > data.size()) {
  316
+      break;
  317
+    }
311 318
 
312 319
     int commentSeparatorPosition = comment.find("=");
  320
+    if(commentSeparatorPosition == -1) {
  321
+      break;
  322
+    }
313 323
 
314 324
     String key = comment.substr(0, commentSeparatorPosition);
315 325
     String value = comment.substr(commentSeparatorPosition + 1);

0 notes on commit b3646a0

Please sign in to comment.
Something went wrong with that request. Please try again.