[prev in list] [next in list] [prev in thread] [next in thread]
List: kde-commits
Subject: branches/stable/extragear/multimedia/amarok
From: Martin Aumüller <aumuell () reserv ! at>
Date: 2009-01-09 17:38:51
Message-ID: 1231522731.462011.17026.nullmailer () svn ! kde ! org
[Download RAW message or body]
SVN commit 908415 by aumuell:
backport r908391 from trunk: avoid excessive and short memory allocations, check for \
allocation
M +4 -1 ChangeLog
M +50 -8 src/metadata/audible/audibletag.cpp
--- branches/stable/extragear/multimedia/amarok/ChangeLog #908414:908415
@@ -1,7 +1,10 @@
Amarok ChangeLog
================
-(C) 2002-2007 the Amarok authors.
+(C) 2002-2009 the Amarok authors.
+ BUGFIX:
+ * Fix possible buffer overflows when parsing Audible .aa files.
+
VERSION 1.4.10
BUGFIX:
* Fix vulnerability in the Magnatune database parsing code. Secunia
--- branches/stable/extragear/multimedia/amarok/src/metadata/audible/audibletag.cpp \
#908414:908415 @@ -71,7 +71,8 @@
{
char buf[1023];
fseek(fp, OFF_PRODUCT_ID, SEEK_SET);
- fread(buf, strlen("product_id"), 1, fp);
+ if (fread(buf, strlen("product_id"), 1, fp) != 1)
+ return;
if(memcmp(buf, "product_id", strlen("product_id")))
{
buf[20]='\0';
@@ -130,24 +131,65 @@
bool Audible::Tag::readTag( FILE *fp, char **name, char **value)
{
+ // arbitrary value that has to be smaller than 2^32-1 and that should be large \
enough for all tags \
+ const uint32_t maxtaglen = 100000;
+
uint32_t nlen;
- fread(&nlen, sizeof(nlen), 1, fp);
+ if (fread(&nlen, sizeof(nlen), 1, fp) != 1)
+ return false;
nlen = ntohl(nlen);
//fprintf(stderr, "tagname len=%x\n", (unsigned)nlen);
- *name = new char[nlen+1];
- (*name)[nlen] = '\0';
+ if (nlen > maxtaglen)
+ return false;
uint32_t vlen;
- fread(&vlen, sizeof(vlen), 1, fp);
+ if (fread(&vlen, sizeof(vlen), 1, fp) != 1)
+ return false;
vlen = ntohl(vlen);
//fprintf(stderr, "tag len=%x\n", (unsigned)vlen);
+ if (vlen > maxtaglen)
+ return false;
+
+ *name = new char[nlen+1];
+ if (!*name)
+ return false;
+
*value = new char[vlen+1];
+ if (!*value)
+ {
+ delete[] *name;
+ *name = 0;
+ return false;
+ }
+
+ (*name)[nlen] = '\0';
(*value)[vlen] = '\0';
- fread(*name, nlen, 1, fp);
- fread(*value, vlen, 1, fp);
+ if (fread(*name, nlen, 1, fp) != 1)
+ {
+ delete[] *name;
+ *name = 0;
+ delete[] *value;
+ *value = 0;
+ return false;
+ }
+ if (fread(*value, vlen, 1, fp) != 1)
+ {
+ delete[] *name;
+ *name = 0;
+ delete[] *value;
+ *value = 0;
+ return false;
+ }
char lasttag;
- fread(&lasttag, 1, 1, fp);
+ if (fread(&lasttag, 1, 1, fp) != 1)
+ {
+ delete[] *name;
+ *name = 0;
+ delete[] *value;
+ *value = 0;
+ return false;
+ }
//fprintf(stderr, "%s: \"%s\"\n", *name, *value);
m_tagsEndOffset += 2 * 4 + nlen + vlen + 1;
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic