diff options
author | Scott Gayou <github.scott@gmail.com> | 2018-10-09 18:46:55 -0500 |
---|---|---|
committer | Stephen F. Booth <me@sbooth.org> | 2018-10-09 18:46:55 -0500 |
commit | 2c4ae870ec086f2ddd21a47861a3709c36faac45 (patch) | |
tree | 12c82240b42cffb0c50b2fcfc1ad5ac5eb52d99a | |
parent | d8d56d39372928d98534a331ac0d3b2d0a2b14c9 (diff) |
Fixed OOB read when loading invalid ogg flac file. (#868) (#869)
CVE-2018-11439 is caused by a failure to check the minimum length
of a ogg flac header. This header is detailed in full at:
https://xiph.org/flac/ogg_mapping.html. Added more strict checking
for entire header.
-rw-r--r-- | taglib/ogg/flac/oggflacfile.cpp | 14 |
1 files changed, 12 insertions, 2 deletions
diff --git a/taglib/ogg/flac/oggflacfile.cpp b/taglib/ogg/flac/oggflacfile.cpp index 53d04508..07ea9dcc 100644 --- a/taglib/ogg/flac/oggflacfile.cpp +++ b/taglib/ogg/flac/oggflacfile.cpp @@ -231,11 +231,21 @@ void Ogg::FLAC::File::scan() if(!metadataHeader.startsWith("fLaC")) { // FLAC 1.1.2+ + // See https://xiph.org/flac/ogg_mapping.html for the header specification. + if(metadataHeader.size() < 13) + return; + + if(metadataHeader[0] != 0x7f) + return; + if(metadataHeader.mid(1, 4) != "FLAC") return; - if(metadataHeader[5] != 1) - return; // not version 1 + if(metadataHeader[5] != 1 && metadataHeader[6] != 0) + return; // not version 1.0 + + if(metadataHeader.mid(9, 4) != "fLaC") + return; metadataHeader = metadataHeader.mid(13); } |