diff options
| author | Carlos Garnacho <carlosg@gnome.org> | 2017-01-28 16:54:42 +0100 |
|---|---|---|
| committer | Carlos Garnacho <carlosg@gnome.org> | 2017-01-29 12:54:41 +0100 |
| commit | 04c0484c5f35fbd915c86f9f730b864ee0e8caad (patch) | |
| tree | edef550d501284e7dc76c54a3685208a60ef6474 | |
| parent | 9c2caec7d07628755e78790af8805e12ec2d8e9e (diff) | |
| download | tracker-04c0484c5f35fbd915c86f9f730b864ee0e8caad.tar.gz | |
tracker-extract: Check size specified in id3v2.0/2.3/2.4 frames
It might be conceivably used to read past mmap()ped memory boundaries
given the right conditions. Bailing out early avoids that.
Coverity ID: 1298199 (Tentative fix)
| -rw-r--r-- | src/tracker-extract/tracker-extract-mp3.c | 24 |
1 files changed, 24 insertions, 0 deletions
diff --git a/src/tracker-extract/tracker-extract-mp3.c b/src/tracker-extract/tracker-extract-mp3.c index a29b8d35e..1d80d5191 100644 --- a/src/tracker-extract/tracker-extract-mp3.c +++ b/src/tracker-extract/tracker-extract-mp3.c @@ -1879,6 +1879,14 @@ parse_id3v24 (const gchar *data, ((data[pos+6] & 0x7F) << 7) | ((data[pos+7] & 0x7F) << 0)); + if (pos + frame_size + csize > size) { + g_debug ("[v24] Size of current frame '%s' (%" G_GSIZE_FORMAT ") " + "exceeds file boundaries (%" G_GSIZE_FORMAT "), " + "not processing any more frames", + frame_name, csize, size); + break; + } + flags = (((unsigned char) (data[pos + 8]) << 8) + ((unsigned char) (data[pos + 9]))); @@ -2077,6 +2085,14 @@ parse_id3v23 (const gchar *data, ((unsigned char)(data[pos + 6]) << 8) | ((unsigned char)(data[pos + 7]) << 0) ); + if (pos + frame_size + csize > size) { + g_debug ("[v23] Size of current frame '%s' (%" G_GSIZE_FORMAT ") " + "exceeds file boundaries (%" G_GSIZE_FORMAT "), " + "not processing any more frames", + frame_name, csize, size); + break; + } + flags = (((unsigned char)(data[pos + 8]) << 8) + ((unsigned char)(data[pos + 9]))); @@ -2206,6 +2222,14 @@ parse_id3v20 (const gchar *data, ((unsigned char)(data[pos + 4]) << 8) + ((unsigned char)(data[pos + 5]) ) ); + if (pos + frame_size + csize > size) { + g_debug ("[v20] Size of current frame '%s' (%" G_GSIZE_FORMAT ") " + "exceeds file boundaries (%" G_GSIZE_FORMAT "), " + "not processing any more frames", + frame_name, csize, size); + break; + } + pos += frame_size; if (frame == ID3V2_UNKNOWN) { |