id3v2: Add missing overrun check for frame sizes

When frames claim to have a footer, ensure they
are large enough to contain one to avoid an invalid
read overrun.

Spotted by Joshua Yabut
This commit is contained in:
Jan Schmidt 2016-12-09 17:57:52 +11:00
parent 226dfc3f32
commit d178f7626a

View file

@ -236,10 +236,16 @@ gst_tag_list_from_id3v2_tag (GstBuffer * buffer)
work.hdr.size = read_size; work.hdr.size = read_size;
work.hdr.flags = flags; work.hdr.flags = flags;
work.hdr.frame_data = info.data + ID3V2_HDR_SIZE; work.hdr.frame_data = info.data + ID3V2_HDR_SIZE;
if (flags & ID3V2_HDR_FLAG_FOOTER)
if (flags & ID3V2_HDR_FLAG_FOOTER) {
if (read_size < ID3V2_HDR_SIZE + 10)
goto not_enough_data; /* Invalid frame size */
work.hdr.frame_data_size = read_size - ID3V2_HDR_SIZE - 10; work.hdr.frame_data_size = read_size - ID3V2_HDR_SIZE - 10;
else } else {
if (read_size < ID3V2_HDR_SIZE)
goto not_enough_data; /* Invalid frame size */
work.hdr.frame_data_size = read_size - ID3V2_HDR_SIZE; work.hdr.frame_data_size = read_size - ID3V2_HDR_SIZE;
}
/* in v2.3 the frame sizes are not syncsafe, so the entire tag had to be /* in v2.3 the frame sizes are not syncsafe, so the entire tag had to be
* unsynced. In v2.4 the frame sizes are syncsafe so it's just the frame * unsynced. In v2.4 the frame sizes are syncsafe so it's just the frame