From 9342a7de77e5b2279813051ae225da3b01eeb430 Mon Sep 17 00:00:00 2001 From: Andre Noll Date: Mon, 19 Oct 2009 21:31:39 +0200 Subject: [PATCH] read_asf_tags(): Carefully check length values. --- wma_afh.c | 115 ++++++++++++++++++++++++++++-------------------------- 1 file changed, 60 insertions(+), 55 deletions(-) diff --git a/wma_afh.c b/wma_afh.c index 6db79d0e..94e6848b 100644 --- a/wma_afh.c +++ b/wma_afh.c @@ -83,20 +83,28 @@ static int put_utf8(uint32_t val, char *result) return out - result; } -static void get_str16(const char *in, int len, char *out, int out_size) +static char *get_str16(const char *in, int len) { const char *p = in; - char *q = out; + int out_size = 0, out_len = 0; + char *out = NULL; len /= 2; - while (len-- && q + 7 + 1 < out + out_size) { - uint32_t x = read_u16(p); + while (len--) { + uint32_t x; + if (out_len + 7 + 1 >= out_size) { + out_size = 2 * out_size + 50; + out = para_realloc(out, out_size); + } + x = read_u16(p); p += 2; - q += put_utf8(x, q); + out_len += put_utf8(x, out + out_len); if (x == 0) - return; + return out; } - *q = '\0'; + if (out) + out[out_len] = '\0'; + return out; } static const char comment_header[] = { @@ -123,61 +131,58 @@ static const char album_tag_header[] = { /* WM/AlbumTitle */ static void read_asf_tags(const char *buf, int buf_size, struct taginfo *ti) { - const char *p, *end = buf + buf_size; - char tag[255]; + const char *p, *end = buf + buf_size, *q; + uint16_t len1, len2, len3, len4, len5; p = search_pattern(comment_header, sizeof(comment_header), buf, buf_size); - if (p) { - int len1, len2, len3, len4, len5; - p += 24; - len1 = read_u16(p); - p += 2; - len2 = read_u16(p); - p += 2; - len3 = read_u16(p); - p += 2; - len4 = read_u16(p); - p += 2; - len5 = read_u16(p); - p += 2; - /* TODO: Check len values */ - get_str16(p, len1, tag, sizeof(tag)); - ti->title = para_strdup(tag); - PARA_INFO_LOG("title: %s\n", tag); - get_str16(p + len1, len2, tag, sizeof(tag)); - ti->artist = para_strdup(tag); - PARA_INFO_LOG("artist: %s\n", tag); - get_str16(p + len1 + len2 + len3 + len4, len5, tag, sizeof(tag)); - ti->comment = para_strdup(tag); - PARA_INFO_LOG("comment: %s\n", tag); - } else + if (!p || p + 34 >= end) { PARA_NOTICE_LOG("comment header not found\n"); + goto next; + } + p += 24; + len1 = read_u16(p); + p += 2; + len2 = read_u16(p); + p += 2; + len3 = read_u16(p); + p += 2; + len4 = read_u16(p); + p += 2; + len5 = read_u16(p); + p += 2; + if (p + len1 >= end) + goto next; + ti->title = get_str16(p, len1); + p += len1; + if (p + len2 >= end) + goto next; + ti->artist = get_str16(p, len2); + p += len2 + len3 + len4; + if (p + len5 >= end) + goto next; + ti->comment = get_str16(p, len5); +next: p = search_pattern(extended_content_header, sizeof(extended_content_header), buf, buf_size); - if (p) { - const char *q; - - q = search_pattern(year_tag_header, sizeof(year_tag_header), - p, end - p); - if (q) { - const char *r = q + sizeof(year_tag_header) + 6; - get_str16(r, end - r, tag, sizeof(tag)); - ti->year = para_strdup(tag); - PARA_INFO_LOG("year: %s\n", tag); - } - q = search_pattern(album_tag_header, sizeof(album_tag_header), - p, end - p); - if (q) { - const char *r = q + sizeof(album_tag_header) + 6; - get_str16(r, end - r, tag, sizeof(tag)); - ti->album = para_strdup(tag); - PARA_INFO_LOG("album: %s\n", tag); - } - return; - } else + if (!p) { PARA_NOTICE_LOG("extended content header not found\n"); - + return; + } + q = search_pattern(year_tag_header, sizeof(year_tag_header), + p, end - p); + if (q) { + const char *r = q + sizeof(year_tag_header) + 6; + if (r < end) + ti->year = get_str16(r, end - r); + } + q = search_pattern(album_tag_header, sizeof(album_tag_header), + p, end - p); + if (q) { + const char *r = q + sizeof(album_tag_header) + 6; + if (r < end) + ti->album = get_str16(r, end - r); + } } static void set_chunk_tv(int num_frames, int num_chunks, int frequency, -- 2.39.5