read_asf_tags(): Carefully check length values.
authorAndre Noll <maan@systemlinux.org>
Mon, 19 Oct 2009 19:31:39 +0000 (21:31 +0200)
committerAndre Noll <maan@systemlinux.org>
Wed, 18 Nov 2009 18:34:25 +0000 (19:34 +0100)
wma_afh.c

index 6db79d0..94e6848 100644 (file)
--- a/wma_afh.c
+++ b/wma_afh.c
@@ -83,20 +83,28 @@ static int put_utf8(uint32_t val, char *result)
        return out - result;
 }
 
-static void get_str16(const char *in, int len, char *out, int out_size)
+static char *get_str16(const char *in, int len)
 {
        const char *p = in;
-       char *q = out;
+       int out_size = 0, out_len = 0;
+       char *out = NULL;
 
        len /= 2;
-       while (len-- && q + 7 + 1 < out + out_size) {
-               uint32_t x = read_u16(p);
+       while (len--) {
+               uint32_t x;
+               if (out_len + 7 + 1 >= out_size) {
+                       out_size = 2 * out_size + 50;
+                       out = para_realloc(out, out_size);
+               }
+               x = read_u16(p);
                p += 2;
-               q += put_utf8(x, q);
+               out_len += put_utf8(x, out + out_len);
                if (x == 0)
-                       return;
+                       return out;
        }
-       *q = '\0';
+       if (out)
+               out[out_len] = '\0';
+       return out;
 }
 
 static const char comment_header[] = {
@@ -123,61 +131,58 @@ static const char album_tag_header[] = { /* WM/AlbumTitle */
 
 static void read_asf_tags(const char *buf, int buf_size, struct taginfo *ti)
 {
-       const char *p, *end = buf + buf_size;
-       char tag[255];
+       const char *p, *end = buf + buf_size, *q;
+       uint16_t len1, len2, len3, len4, len5;
 
        p = search_pattern(comment_header, sizeof(comment_header),
                buf, buf_size);
-       if (p) {
-               int len1, len2, len3, len4, len5;
-               p += 24;
-               len1 = read_u16(p);
-               p += 2;
-               len2 = read_u16(p);
-               p += 2;
-               len3 = read_u16(p);
-               p += 2;
-               len4 = read_u16(p);
-               p += 2;
-               len5 = read_u16(p);
-               p += 2;
-               /* TODO: Check len values */
-               get_str16(p, len1, tag, sizeof(tag));
-               ti->title = para_strdup(tag);
-               PARA_INFO_LOG("title: %s\n", tag);
-               get_str16(p + len1, len2, tag, sizeof(tag));
-               ti->artist = para_strdup(tag);
-               PARA_INFO_LOG("artist: %s\n", tag);
-               get_str16(p + len1 + len2 + len3 + len4, len5, tag, sizeof(tag));
-               ti->comment = para_strdup(tag);
-               PARA_INFO_LOG("comment: %s\n", tag);
-       } else
+       if (!p || p + 34 >= end) {
                PARA_NOTICE_LOG("comment header not found\n");
+               goto next;
+       }
+       p += 24;
+       len1 = read_u16(p);
+       p += 2;
+       len2 = read_u16(p);
+       p += 2;
+       len3 = read_u16(p);
+       p += 2;
+       len4 = read_u16(p);
+       p += 2;
+       len5 = read_u16(p);
+       p += 2;
+       if (p + len1 >= end)
+               goto next;
+       ti->title = get_str16(p, len1);
+       p += len1;
+       if (p + len2 >= end)
+               goto next;
+       ti->artist = get_str16(p, len2);
+       p += len2 + len3 + len4;
+       if (p + len5 >= end)
+               goto next;
+       ti->comment = get_str16(p, len5);
+next:
        p = search_pattern(extended_content_header, sizeof(extended_content_header),
                buf, buf_size);
-       if (p) {
-               const char *q;
-
-               q = search_pattern(year_tag_header, sizeof(year_tag_header),
-                       p, end - p);
-               if (q) {
-                       const char *r = q + sizeof(year_tag_header) + 6;
-                       get_str16(r, end - r, tag, sizeof(tag));
-                       ti->year = para_strdup(tag);
-                       PARA_INFO_LOG("year: %s\n", tag);
-               }
-               q = search_pattern(album_tag_header, sizeof(album_tag_header),
-                       p, end - p);
-               if (q) {
-                       const char *r = q + sizeof(album_tag_header) + 6;
-                       get_str16(r, end - r, tag, sizeof(tag));
-                       ti->album = para_strdup(tag);
-                       PARA_INFO_LOG("album: %s\n", tag);
-               }
-               return;
-       } else
+       if (!p) {
                PARA_NOTICE_LOG("extended content header not found\n");
-
+               return;
+       }
+       q = search_pattern(year_tag_header, sizeof(year_tag_header),
+               p, end - p);
+       if (q) {
+               const char *r = q + sizeof(year_tag_header) + 6;
+               if (r < end)
+                       ti->year = get_str16(r, end - r);
+       }
+       q = search_pattern(album_tag_header, sizeof(album_tag_header),
+               p, end - p);
+       if (q) {
+               const char *r = q + sizeof(album_tag_header) + 6;
+               if (r < end)
+                       ti->album = get_str16(r, end - r);
+       }
 }
 
 static void set_chunk_tv(int num_frames, int num_chunks, int frequency,