oysteikt
/
mpd
0
0
Fork 0
Code Issues Pull Requests Releases Activity

ape: added protection against large memory allocations 

The function tag_ape_load() retrieves a 32 bit unsigned integer from
the input file, and passes it to g_malloc().  This is dangerous, and
may be used for a denial of service attack on MPD.
This commit is contained in:
Max Kellermann 2009-07-19 17:38:46 +02:00
parent e3ff0ab6d1
commit 0ce727d5d4
2 changed files with 4 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
NEWS
View File

@ -1,6 +1,7 @@
ver 0.15.2 (2009/??/??)
* tags:
- ape: check the tag size (fixes integer underflow)
- ape: added protection against large memory allocations
ver 0.15.1 (2009/07/15)

3
src/tag_ape.c
View File

@ -89,6 +89,9 @@ tag_ape_load(const char *file)
tagLen = GUINT32_FROM_LE(footer.length);
if (tagLen <= sizeof(footer) + 10)
goto fail;
if (tagLen > 1024 * 1024)
/* refuse to load more than one megabyte of tag data */
goto fail;
if (fseek(fp, size - tagLen, SEEK_SET))
goto fail;