Be more careful when parsing Vorbis Comments

author: Frank Lai <frank.franklai@gmail.com> 2011-06-09 18:44:54 +0200
committer: Lukáš Lalinský <lalinsky@gmail.com> 2011-06-09 18:44:54 +0200
commit: b3646a07348ffa276ea41a9dae03ddc63ea6c532 (patch)
tree: be292a649f59932964a547aacd48d0688e69a2f3
parent: 8ed9b0da2cdb2ac870052d4734b622e755430f71 (diff)
1 files changed, 13 insertions, 3 deletions
diff --git a/taglib/ogg/xiphcomment.cpp b/taglib/ogg/xiphcomment.cpp
index 344d9cfc..e7e8fa91 100644
--- a/taglib/ogg/xiphcomment.cpp
+++ b/taglib/ogg/xiphcomment.cpp
@@ -295,21 +295,31 @@ void Ogg::XiphComment::parse(const ByteVector &data)
 
   // Next the number of fields in the comment vector.
 
-  int commentFields = data.mid(pos, 4).toUInt(false);
+  uint commentFields = data.mid(pos, 4).toUInt(false);
   pos += 4;
 
-  for(int i = 0; i < commentFields; i++) {
+  if(commentFields > (data.size() - 8) / 4) {
+    return;
+  }
+
+  for(uint i = 0; i < commentFields; i++) {
 
     // Each comment field is in the format "KEY=value" in a UTF8 string and has
     // 4 bytes before the text starts that gives the length.
 
-    int commentLength = data.mid(pos, 4).toUInt(false);
+    uint commentLength = data.mid(pos, 4).toUInt(false);
     pos += 4;
 
     String comment = String(data.mid(pos, commentLength), String::UTF8);
     pos += commentLength;
+    if(pos > data.size()) {
+      break;
+    }
 
     int commentSeparatorPosition = comment.find("=");
+    if(commentSeparatorPosition == -1) {
+      break;
+    }
 
     String key = comment.substr(0, commentSeparatorPosition);
     String value = comment.substr(commentSeparatorPosition + 1);
author	Frank Lai <frank.franklai@gmail.com>	2011-06-09 18:44:54 +0200
committer	Lukáš Lalinský <lalinsky@gmail.com>	2011-06-09 18:44:54 +0200
commit	b3646a07348ffa276ea41a9dae03ddc63ea6c532 (patch)
tree	be292a649f59932964a547aacd48d0688e69a2f3
parent	8ed9b0da2cdb2ac870052d4734b622e755430f71 (diff)