audio/amarok-kde3/patches/patch-ad


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89

$NetBSD: patch-ad,v 1.1.1.1 2010/02/16 08:59:13 wiz Exp $

Security fix, SVN r908415 from upstream 1.4.x branch.

--- amarok/src/metadata/audible/audibletag.cpp.orig	2008-08-13 23:21:51.000000000 +0200
+++ amarok/src/metadata/audible/audibletag.cpp
@@ -71,7 +71,8 @@ void Audible::Tag::readTags( FILE *fp )
 {
     char buf[1023];
     fseek(fp, OFF_PRODUCT_ID, SEEK_SET);
-    fread(buf, strlen("product_id"), 1, fp);
+    if (fread(buf, strlen("product_id"), 1, fp) != 1)
+        return;
     if(memcmp(buf, "product_id", strlen("product_id")))
     {
         buf[20]='\0';
@@ -130,24 +131,65 @@ void Audible::Tag::readTags( FILE *fp )
 
 bool Audible::Tag::readTag( FILE *fp, char **name, char **value)
 {
+    // arbitrary value that has to be smaller than 2^32-1 and that should be large enough for all tags                                                                                         
+    const uint32_t maxtaglen = 100000;    
+
     uint32_t nlen;
-    fread(&nlen, sizeof(nlen), 1, fp);
+    if (fread(&nlen, sizeof(nlen), 1, fp) != 1)
+        return false;
     nlen = ntohl(nlen);
     //fprintf(stderr, "tagname len=%x\n", (unsigned)nlen);
-    *name = new char[nlen+1];
-    (*name)[nlen] = '\0';
+    if (nlen > maxtaglen)
+        return false;
 
     uint32_t vlen;
-    fread(&vlen, sizeof(vlen), 1, fp);
+    if (fread(&vlen, sizeof(vlen), 1, fp) != 1)
+        return false;
     vlen = ntohl(vlen);
     //fprintf(stderr, "tag len=%x\n", (unsigned)vlen);
+    if (vlen > maxtaglen)
+        return false;
+
+    *name = new char[nlen+1];
+    if (!*name)
+        return false;
+        
     *value = new char[vlen+1];
+    if (!*value)
+    {
+        delete[] *name;
+        *name = 0;
+        return false;
+    }
+
+    (*name)[nlen] = '\0';
     (*value)[vlen] = '\0';
 
-    fread(*name, nlen, 1, fp);
-    fread(*value, vlen, 1, fp);
+    if (fread(*name, nlen, 1, fp) != 1)
+    {
+        delete[] *name;
+        *name = 0;
+        delete[] *value;
+        *value = 0;
+        return false;
+    }
+    if (fread(*value, vlen, 1, fp) != 1)
+    {
+        delete[] *name;
+        *name = 0;
+        delete[] *value;
+        *value = 0;
+        return false;
+    }
     char lasttag;
-    fread(&lasttag, 1, 1, fp);
+    if (fread(&lasttag, 1, 1, fp) != 1)
+    {
+        delete[] *name;
+        *name = 0;
+        delete[] *value;
+        *value = 0;
+        return false;
+    }
     //fprintf(stderr, "%s: \"%s\"\n", *name, *value);
 
     m_tagsEndOffset += 2 * 4 + nlen + vlen + 1;