[easytag/easytag-2-2] Do some validation of Vorbis artwork field lengths

From: David King <davidk src gnome org>
To: commits-list gnome org
Cc:
Subject: [easytag/easytag-2-2] Do some validation of Vorbis artwork field lengths
Date: Sun, 4 Jan 2015 18:28:51 +0000 (UTC)

commit 472de5711f501c0eb901619cfb34c41eaa3f3ae5
Author: David King <amigadave amigadave com>
Date:   Sun Jan 4 11:34:44 2015 +0000

    Do some validation of Vorbis artwork field lengths

 src/ogg_tag.c |   47 ++++++++++++++++++++++++++++++++++++++++-------
 1 files changed, 40 insertions(+), 7 deletions(-)
---
diff --git a/src/ogg_tag.c b/src/ogg_tag.c
index 8d5892b..a043d8d 100644
--- a/src/ogg_tag.c
+++ b/src/ogg_tag.c
@@ -570,35 +570,60 @@ et_add_file_tags_from_vorbis_comments (vorbis_comment *vc, File_Tag *FileTag,
          * whole structure (8 fields of 4 bytes each). */
         if (decoded_size < 8 * 4)
         {
-            /* Mark the file as modified, so that the invalid field is removed
-             * upon saving. */
-            FileTag->saved = FALSE;
-
-            g_free (decoded_ustr);
-            continue;
+            goto invalid_picture;
         }
 
         /* Reading picture type. */
         pic->type = read_guint32_from_byte (decoded_ustr, 0);
         bytes_pos = 4;
 
+        /* TODO: Check that there is a maximum of 1 of each of
+         * ET_PICTURE_TYPE_FILE_ICON and ET_PICTURE_TYPE_OTHER_FILE_ICON types
+         * in the file. */
+        if (pic->type >= ET_PICTURE_TYPE_UNDEFINED)
+        {
+            goto invalid_picture;
+        }
+
         /* Reading MIME data. */
         mimelen = read_guint32_from_byte (decoded_ustr, bytes_pos);
-        bytes_pos = 8 + mimelen;
+        bytes_pos += 4;
+
+        if (mimelen > decoded_size - bytes_pos - (6 * 4))
+        {
+            goto invalid_picture;
+        }
+
+        /* Skip over the MIME type, as gdk-pixbuf does not use it. */
+        /* TODO: Check for one of "image/", "image/png", "image/jpeg" and "-->"
+         * (the check for "", length 0, is already covered). */
+        bytes_pos += mimelen;
 
         /* Reading description */
         desclen = read_guint32_from_byte (decoded_ustr, bytes_pos);
         bytes_pos += 4;
 
+        if (desclen > decoded_size - bytes_pos - (5 * 4))
+        {
+            goto invalid_picture;
+        }
+
         pic->description = g_strndup ((const gchar *)&decoded_ustr[bytes_pos],
                                       desclen);
 
+        /* Skip the width, height, color depth and number-of-colors fields. */
         bytes_pos += desclen + 16;
 
         /* Reading picture size */
         pic->size = read_guint32_from_byte (decoded_ustr, bytes_pos);
         bytes_pos += 4;
 
+        if (pic->size > decoded_size - bytes_pos)
+        {
+            g_free (pic->description);
+            goto invalid_picture;
+        }
+
         /* Reading decoded picture */
         pic->data = g_malloc (pic->size);
 
@@ -608,6 +633,14 @@ et_add_file_tags_from_vorbis_comments (vorbis_comment *vc, File_Tag *FileTag,
         }
 
         g_free (decoded_ustr);
+        continue;
+
+invalid_picture:
+        /* Mark the file as modified, so that the invalid field is removed upon
+         * saving. */
+        FileTag->saved = FALSE;
+
+        g_free (decoded_ustr);
     }
 
     /***************************

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]