[tracker] tracker-extract: Check size specified in id3v2.0/2.3/2.4 frames

[Carlos Garnacho <carlosg src gnome org>]

commit 04c0484c5f35fbd915c86f9f730b864ee0e8caad
Author: Carlos Garnacho <carlosg gnome org>
Date:   Sat Jan 28 16:54:42 2017 +0100

    tracker-extract: Check size specified in id3v2.0/2.3/2.4 frames
    
    It might be conceivably used to read past mmap()ped memory boundaries
    given the right conditions. Bailing out early avoids that.
    
    Coverity ID: 1298199 (Tentative fix)

 src/tracker-extract/tracker-extract-mp3.c |   24 ++++++++++++++++++++++++
 1 files changed, 24 insertions(+), 0 deletions(-)
---
diff --git a/src/tracker-extract/tracker-extract-mp3.c b/src/tracker-extract/tracker-extract-mp3.c
index a29b8d3..1d80d51 100644
--- a/src/tracker-extract/tracker-extract-mp3.c
+++ b/src/tracker-extract/tracker-extract-mp3.c
@@ -1879,6 +1879,14 @@ parse_id3v24 (const gchar           *data,
                         ((data[pos+6] & 0x7F) << 7) |
                         ((data[pos+7] & 0x7F) << 0));
 
+               if (pos + frame_size + csize > size) {
+                       g_debug ("[v24] Size of current frame '%s' (%" G_GSIZE_FORMAT ") "
+                                "exceeds file boundaries (%" G_GSIZE_FORMAT "), "
+                                "not processing any more frames",
+                                frame_name, csize, size);
+                       break;
+               }
+
                flags = (((unsigned char) (data[pos + 8]) << 8) +
                         ((unsigned char) (data[pos + 9])));
 
@@ -2077,6 +2085,14 @@ parse_id3v23 (const gchar          *data,
                         ((unsigned char)(data[pos + 6]) << 8)  |
                         ((unsigned char)(data[pos + 7]) << 0) );
 
+               if (pos + frame_size + csize > size) {
+                       g_debug ("[v23] Size of current frame '%s' (%" G_GSIZE_FORMAT ") "
+                                "exceeds file boundaries (%" G_GSIZE_FORMAT "), "
+                                "not processing any more frames",
+                                frame_name, csize, size);
+                       break;
+               }
+
                flags = (((unsigned char)(data[pos + 8]) << 8) +
                         ((unsigned char)(data[pos + 9])));
 
@@ -2206,6 +2222,14 @@ parse_id3v20 (const gchar          *data,
                         ((unsigned char)(data[pos + 4]) << 8) +
                         ((unsigned char)(data[pos + 5]) ) );
 
+               if (pos + frame_size + csize > size) {
+                       g_debug ("[v20] Size of current frame '%s' (%" G_GSIZE_FORMAT ") "
+                                "exceeds file boundaries (%" G_GSIZE_FORMAT "), "
+                                "not processing any more frames",
+                                frame_name, csize, size);
+                       break;
+               }
+
                pos += frame_size;
 
                if (frame == ID3V2_UNKNOWN) {