-
- while (sumsize < size && !f->stream->read_error) { /* CVE-2017-9222 */
- uint64_t destpos;
- subsize = mp4ff_atom_read_header(f, &atom_type, &header_size);
- destpos = mp4ff_position(f) + subsize - header_size;
- if (!done) {
- if (atom_type == ATOM_DATA) {
- mp4ff_read_char(f); /* version */
- mp4ff_read_int24(f); /* flags */
- mp4ff_read_int32(f); /* reserved */
-
- /* some need special attention */
- if (parent_atom_type == ATOM_GENRE2 || parent_atom_type == ATOM_TEMPO) {
- if (subsize - header_size >= 8 + 2) {
- uint16_t val = mp4ff_read_int16(f);
-
- if (parent_atom_type == ATOM_TEMPO) {
- char temp[16];
- sprintf(temp,
- "%.5u BPM",
- val);
- mp4ff_tag_add_field(&(f-> tags), "tempo", temp, -1);
- } else {
- const char *temp = mp4ff_meta_index_to_genre(val);
- if (temp) {
- mp4ff_tag_add_field (&(f->tags), "genre", temp, -1);
- }
- }
- done = 1;
- }
- } else if (parent_atom_type == ATOM_TRACK || parent_atom_type == ATOM_DISC) {
- if (!done && (subsize - header_size) >= (sizeof (char) + sizeof (uint8_t) * 3 + sizeof (uint32_t) + /* version + flags + reserved */
- +(parent_atom_type == ATOM_TRACK ? sizeof (uint16_t) : 0) /* leading uint16_t if ATOM_TRACK */
- +sizeof (uint16_t) /* track / disc */
- +sizeof (uint16_t)) /* totaltracks / totaldiscs */) {
- uint16_t index, total;
- char temp[32];
- mp4ff_read_int16(f);
- index = mp4ff_read_int16(f);
- total = mp4ff_read_int16(f);
- if (parent_atom_type == ATOM_TRACK)
- mp4ff_read_int16(f);
-
- sprintf(temp, "%d", index);
- mp4ff_tag_add_field(&(f->tags), parent_atom_type == ATOM_TRACK ?
- "track" : "disc", temp, -1);
- if (total > 0) {
- sprintf(temp, "%d",
- total);
- mp4ff_tag_add_field(& (f-> tags),
- parent_atom_type == ATOM_TRACK?
- "totaltracks" : "totaldiscs", temp, -1);
- }
- done = 1;
- }
- } else {
- if (data) {
- free(data);
- data = NULL;
- }
- data = mp4ff_read_string(f, (uint32_t) (subsize - (header_size + 8)));
- len = (uint32_t) (subsize - (header_size + 8));
- }
- } else if (atom_type == ATOM_NAME) {
- if (!done) {
- mp4ff_read_char(f); /* version */
- mp4ff_read_int24(f); /* flags */
- if (name)
- free(name);
- name = mp4ff_read_string(f, (uint32_t) (subsize - (header_size + 4)));
- }
+ uint64_t destpos;
+
+ for (
+ sumsize = 0;
+ sumsize < size && !f->stream->read_error; /* CVE-2017-9222 */
+ set_position(f, destpos), sumsize += subsize
+ ) {
+ subsize = atom_read_header(f, &atom_type, &header_size);
+ destpos = get_position(f) + subsize - header_size;
+ if (done)
+ continue;
+ if (atom_type == ATOM_NAME) {
+ read_char(f); /* version */
+ read_int24(f); /* flags */
+ free(name);
+ name = read_string(f, subsize - (header_size + 4));
+ continue;
+ }
+ if (atom_type != ATOM_DATA)
+ continue;
+ read_char(f); /* version */
+ read_int24(f); /* flags */
+ read_int32(f); /* reserved */
+
+ /* some need special attention */
+ if (parent == ATOM_GENRE2 || parent == ATOM_TEMPO) {
+ uint16_t val;
+ if (subsize - header_size < min_body_size(parent))
+ continue;
+ val = read_int16(f);
+ if (parent == ATOM_TEMPO) {
+ char temp[16];
+ sprintf(temp, "%.5u BPM", val);
+ tag_add_field(&(f-> tags), "tempo",
+ temp, -1);
+ } else {
+ const char *tmp = meta_index_to_genre(val);
+ if (tmp)
+ tag_add_field (&(f->tags),
+ "genre", tmp, -1);
+ }
+ done = 1;
+ } else if (parent == ATOM_TRACK || parent == ATOM_DISC) {
+ uint16_t index, total;
+ char temp[32];
+ if (subsize - header_size < min_body_size(parent))
+ continue;
+ read_int16(f);
+ index = read_int16(f);
+ total = read_int16(f);
+ if (parent == ATOM_TRACK)
+ read_int16(f);
+ sprintf(temp, "%d", index);
+ tag_add_field(&(f->tags), parent == ATOM_TRACK?
+ "track" : "disc", temp, -1);
+ if (total > 0) {
+ sprintf(temp, "%d", total);
+ tag_add_field(& (f-> tags),
+ parent == ATOM_TRACK?
+ "totaltracks" : "totaldiscs", temp, -1);