Overview

File r908415.diff of Package kde3-amarok

Index: ChangeLog
===================================================================
--- ChangeLog	(revision 908414)
+++ ChangeLog	(revision 908415)
@@ -1,7 +1,10 @@
 Amarok ChangeLog
 ================
-(C) 2002-2007 the Amarok authors.
+(C) 2002-2009 the Amarok authors.
 
+  BUGFIX:
+    * Fix possible buffer overflows when parsing Audible .aa files.
+
 VERSION 1.4.10
   BUGFIX:
     * Fix vulnerability in the Magnatune database parsing code.  Secunia
Index: src/metadata/audible/audibletag.cpp
===================================================================
--- amarok/src/metadata/audible/audibletag.cpp	(revision 908414)
+++ amarok/src/metadata/audible/audibletag.cpp	(revision 908415)
@@ -71,7 +71,8 @@
 {
     char buf[1023];
     fseek(fp, OFF_PRODUCT_ID, SEEK_SET);
-    fread(buf, strlen("product_id"), 1, fp);
+    if (fread(buf, strlen("product_id"), 1, fp) != 1)
+        return;
     if(memcmp(buf, "product_id", strlen("product_id")))
     {
         buf[20]='\0';
@@ -130,24 +131,65 @@
 
 bool Audible::Tag::readTag( FILE *fp, char **name, char **value)
 {
+    // arbitrary value that has to be smaller than 2^32-1 and that should be large enough for all tags                                                                                         
+    const uint32_t maxtaglen = 100000;    
+
     uint32_t nlen;
-    fread(&nlen, sizeof(nlen), 1, fp);
+    if (fread(&nlen, sizeof(nlen), 1, fp) != 1)
+        return false;
     nlen = ntohl(nlen);
     //fprintf(stderr, "tagname len=%x\n", (unsigned)nlen);
-    *name = new char[nlen+1];
-    (*name)[nlen] = '\0';
+    if (nlen > maxtaglen)
+        return false;
 
     uint32_t vlen;
-    fread(&vlen, sizeof(vlen), 1, fp);
+    if (fread(&vlen, sizeof(vlen), 1, fp) != 1)
+        return false;
     vlen = ntohl(vlen);
     //fprintf(stderr, "tag len=%x\n", (unsigned)vlen);
+    if (vlen > maxtaglen)
+        return false;
+
+    *name = new char[nlen+1];
+    if (!*name)
+        return false;
+        
     *value = new char[vlen+1];
+    if (!*value)
+    {
+        delete[] *name;
+        *name = 0;
+        return false;
+    }
+
+    (*name)[nlen] = '\0';
     (*value)[vlen] = '\0';
 
-    fread(*name, nlen, 1, fp);
-    fread(*value, vlen, 1, fp);
+    if (fread(*name, nlen, 1, fp) != 1)
+    {
+        delete[] *name;
+        *name = 0;
+        delete[] *value;
+        *value = 0;
+        return false;
+    }
+    if (fread(*value, vlen, 1, fp) != 1)
+    {
+        delete[] *name;
+        *name = 0;
+        delete[] *value;
+        *value = 0;
+        return false;
+    }
     char lasttag;
-    fread(&lasttag, 1, 1, fp);
+    if (fread(&lasttag, 1, 1, fp) != 1)
+    {
+        delete[] *name;
+        *name = 0;
+        delete[] *value;
+        *value = 0;
+        return false;
+    }
     //fprintf(stderr, "%s: \"%s\"\n", *name, *value);
 
     m_tagsEndOffset += 2 * 4 + nlen + vlen + 1;
openSUSE Build Service is sponsored by
Places