File taglib-infinite-loop.patch of Package taglib

Overview Repositories Revisions Requests Users Attributes Meta

File taglib-infinite-loop.patch of Package taglib

Index: taglib/ogg/xiphcomment.cpp
===================================================================
--- taglib/ogg/xiphcomment.cpp.orig
+++ taglib/ogg/xiphcomment.cpp
@@ -295,21 +295,31 @@ void Ogg::XiphComment::parse(const ByteV
 
   // Next the number of fields in the comment vector.
 
-  int commentFields = data.mid(pos, 4).toUInt(false);
+  uint commentFields = data.mid(pos, 4).toUInt(false);
   pos += 4;
 
-  for(int i = 0; i < commentFields; i++) {
+  if(commentFields > (data.size() - 8) / 4) {
+    return;
+  }
+
+  for(uint i = 0; i < commentFields; i++) {
 
     // Each comment field is in the format "KEY=value" in a UTF8 string and has
     // 4 bytes before the text starts that gives the length.
 
-    int commentLength = data.mid(pos, 4).toUInt(false);
+    uint commentLength = data.mid(pos, 4).toUInt(false);
     pos += 4;
 
     String comment = String(data.mid(pos, commentLength), String::UTF8);
     pos += commentLength;
+    if(pos > data.size()) {
+      break;
+    }
 
     int commentSeparatorPosition = comment.find("=");
+    if(commentSeparatorPosition == -1) {
+      break;
+    }
 
     String key = comment.substr(0, commentSeparatorPosition);
     String value = comment.substr(commentSeparatorPosition + 1);

Places

File taglib-infinite-loop.patch of Package taglib

Places