Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status
summaryrefslogtreecommitdiff
path: root/media-sound/mp3gain/files/mp3gain-1.6.1-CVE-2017-12911.patch
blob: 0b5a32280963d1f8ca892bb5c8c2e3f2e3fae490 (plain) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77

--- a/apetag.c
+++ b/apetag.c
@@ -49,6 +49,12 @@
 
 static int Lyrics3GetNumber6 ( const unsigned char* string )
 {
+	if (string[0] < '0' || string[0] > '9') return 0;
+	if (string[1] < '0' || string[1] > '9') return 0;
+	if (string[2] < '0' || string[2] > '9') return 0;
+	if (string[3] < '0' || string[3] > '9') return 0;
+	if (string[4] < '0' || string[4] > '9') return 0;
+	if (string[5] < '0' || string[5] > '9') return 0;
 	return ( string[0] - '0') * 100000 +
 		   ( string[1] - '0') * 10000 +
 		   ( string[2] - '0') * 1000 +
@@ -86,12 +92,14 @@
 		free(*id3tagbuff);
 	*id3tagbuff = (unsigned char *)malloc(128);
     memcpy(*id3tagbuff,tmpid3,128);
+	if ( *tag_offset < (128 + (long)(sizeof(T))) ) return 0;
     if ( fseek (fp, *tag_offset - 128 - sizeof (T), SEEK_SET) ) return 0;
     if ( fread (&T, 1, sizeof (T), fp) != sizeof (T) ) return 0;
     // check for lyrics3 v2.00 tag
     if ( memcmp (T.ID, "LYRICS200", sizeof (T.ID)) ) return 0;
 	len = Lyrics3GetNumber6 (T.Length);
-	if ( fseek (fp, *tag_offset - 128 - (int)sizeof (T) - len, SEEK_SET) ) return 0;
+	if (*tag_offset < (128 + (long)(sizeof(T)) + len)) return 0;
+	if ( fseek (fp, *tag_offset - 128 - (long)sizeof (T) - len, SEEK_SET) ) return 0;
     if ( fread  (tmp, 1, 11, fp) != 11 ) return 0;
     if ( memcmp (tmp, "LYRICSBEGIN", 11) ) return 0;
     
@@ -167,6 +175,7 @@
     Ver = Read_LE_Uint32 (T.Version);
     if ( (Ver != 1000) && (Ver != 2000) ) return 0;
     if ( (TagLen = Read_LE_Uint32 (T.Length)) < sizeof (T) ) return 0;
+	if (*tag_offset < TagLen) return 0;
     if ( fseek (fp, *tag_offset - TagLen, SEEK_SET) ) return 0;
     buff = (char *)malloc (TagLen);
     if ( fread (buff, 1, TagLen - sizeof (T), fp) != (TagLen - sizeof (T)) ) {
@@ -285,6 +294,7 @@
 	(*apeTag)->originalTagSize = TagLen;
 
     if ( Read_LE_Uint32 (T.Flags) & (1<<31) ) {  // Tag contains header
+		if (*tag_offset < (long)(sizeof(T))) return 0;
         *tag_offset -= sizeof (T);
 
 		fseek (fp, *tag_offset, SEEK_SET);
@@ -355,14 +365,14 @@
  */
 int ReadMP3GainAPETag (char *filename, struct MP3GainTagInfo *info, struct FileTagsStruct *fileTags) {
     FILE *fi;
-    long tag_offset, offs_bk;
+    long tag_offset, offs_bk, file_size;
 
     fi = fopen(filename, "rb");
     if (fi == NULL)
 		return 0;
 	
 	fseek(fi, 0, SEEK_END);
-    tag_offset = ftell(fi);
+    tag_offset = file_size = ftell(fi);
 	
 	fileTags->lyrics3TagSize = 0;
 
@@ -373,7 +383,11 @@
 		ReadMP3ID3v1Tag ( fi, &(fileTags->id31tag), &tag_offset );
 	} while ( offs_bk != tag_offset );
 
-	fileTags->tagOffset = tag_offset;
+	if (tag_offset >= 0 && tag_offset <= file_size) {
+		fileTags->tagOffset = tag_offset;
+	} else { //Corrupt tag information, simply default to end-of-file
+		fileTags->tagOffset = file_size;
+	}
 
     fclose(fi);