id3v2: Add missing overrun check for frame sizes

When frames claim to have a footer, ensure they are large enough to contain one to avoid an invalid read overrun. Spotted by Joshua Yabut
author: Jan Schmidt <jan@centricular.com> 2016-12-09 17:57:52 +1100
committer: Jan Schmidt <jan@centricular.com> 2016-12-09 18:12:21 +1100
commit: ed6e201647a78a7fd4c2c014279a56cb822c95f5 (patch)
tree: f775e7eaf6c6670cff0c8c299b98aaee1c9231b4
parent: 5b873a9bec5f93100160ce1e4aa02a32351a265d (diff)
download: gstreamer-plugins-base-ed6e201647a78a7fd4c2c014279a56cb822c95f5.tar.gz
1 files changed, 8 insertions, 2 deletions
diff --git a/gst-libs/gst/tag/id3v2.c b/gst-libs/gst/tag/id3v2.c
index 4579d25d7..54f38fca1 100644
--- a/gst-libs/gst/tag/id3v2.c
+++ b/gst-libs/gst/tag/id3v2.c
@@ -236,10 +236,16 @@ gst_tag_list_from_id3v2_tag (GstBuffer * buffer)
   work.hdr.size = read_size;
   work.hdr.flags = flags;
   work.hdr.frame_data = info.data + ID3V2_HDR_SIZE;
-  if (flags & ID3V2_HDR_FLAG_FOOTER)
+
+  if (flags & ID3V2_HDR_FLAG_FOOTER) {
+    if (read_size < ID3V2_HDR_SIZE + 10)
+      goto not_enough_data;     /* Invalid frame size */
     work.hdr.frame_data_size = read_size - ID3V2_HDR_SIZE - 10;
-  else
+  } else {
+    if (read_size < ID3V2_HDR_SIZE)
+      goto not_enough_data;     /* Invalid frame size */
     work.hdr.frame_data_size = read_size - ID3V2_HDR_SIZE;
+  }
 
   /* in v2.3 the frame sizes are not syncsafe, so the entire tag had to be
    * unsynced. In v2.4 the frame sizes are syncsafe so it's just the frame
author	Jan Schmidt <jan@centricular.com>	2016-12-09 17:57:52 +1100
committer	Jan Schmidt <jan@centricular.com>	2016-12-09 18:12:21 +1100
commit	ed6e201647a78a7fd4c2c014279a56cb822c95f5 (patch)
tree	f775e7eaf6c6670cff0c8c299b98aaee1c9231b4
parent	5b873a9bec5f93100160ce1e4aa02a32351a265d (diff)
download	gstreamer-plugins-base-ed6e201647a78a7fd4c2c014279a56cb822c95f5.tar.gz