Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
home:lafenghu
kde3-amarok
r908415.diff
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File r908415.diff of Package kde3-amarok
Index: ChangeLog =================================================================== --- ChangeLog (revision 908414) +++ ChangeLog (revision 908415) @@ -1,7 +1,10 @@ Amarok ChangeLog ================ -(C) 2002-2007 the Amarok authors. +(C) 2002-2009 the Amarok authors. + BUGFIX: + * Fix possible buffer overflows when parsing Audible .aa files. + VERSION 1.4.10 BUGFIX: * Fix vulnerability in the Magnatune database parsing code. Secunia Index: src/metadata/audible/audibletag.cpp =================================================================== --- amarok/src/metadata/audible/audibletag.cpp (revision 908414) +++ amarok/src/metadata/audible/audibletag.cpp (revision 908415) @@ -71,7 +71,8 @@ { char buf[1023]; fseek(fp, OFF_PRODUCT_ID, SEEK_SET); - fread(buf, strlen("product_id"), 1, fp); + if (fread(buf, strlen("product_id"), 1, fp) != 1) + return; if(memcmp(buf, "product_id", strlen("product_id"))) { buf[20]='\0'; @@ -130,24 +131,65 @@ bool Audible::Tag::readTag( FILE *fp, char **name, char **value) { + // arbitrary value that has to be smaller than 2^32-1 and that should be large enough for all tags + const uint32_t maxtaglen = 100000; + uint32_t nlen; - fread(&nlen, sizeof(nlen), 1, fp); + if (fread(&nlen, sizeof(nlen), 1, fp) != 1) + return false; nlen = ntohl(nlen); //fprintf(stderr, "tagname len=%x\n", (unsigned)nlen); - *name = new char[nlen+1]; - (*name)[nlen] = '\0'; + if (nlen > maxtaglen) + return false; uint32_t vlen; - fread(&vlen, sizeof(vlen), 1, fp); + if (fread(&vlen, sizeof(vlen), 1, fp) != 1) + return false; vlen = ntohl(vlen); //fprintf(stderr, "tag len=%x\n", (unsigned)vlen); + if (vlen > maxtaglen) + return false; + + *name = new char[nlen+1]; + if (!*name) + return false; + *value = new char[vlen+1]; + if (!*value) + { + delete[] *name; + *name = 0; + return false; + } + + (*name)[nlen] = '\0'; (*value)[vlen] = '\0'; - fread(*name, nlen, 1, fp); - fread(*value, vlen, 1, fp); + if (fread(*name, nlen, 1, fp) != 1) + { + delete[] *name; + *name = 0; + delete[] *value; + *value = 0; + return false; + } + if (fread(*value, vlen, 1, fp) != 1) + { + delete[] *name; + *name = 0; + delete[] *value; + *value = 0; + return false; + } char lasttag; - fread(&lasttag, 1, 1, fp); + if (fread(&lasttag, 1, 1, fp) != 1) + { + delete[] *name; + *name = 0; + delete[] *value; + *value = 0; + return false; + } //fprintf(stderr, "%s: \"%s\"\n", *name, *value); m_tagsEndOffset += 2 * 4 + nlen + vlen + 1;
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor