From 0ce727d5d459c2319edc507eb2e71af8a1c9d5dc Mon Sep 17 00:00:00 2001 From: Max Kellermann Date: Sun, 19 Jul 2009 17:38:46 +0200 Subject: [PATCH] ape: added protection against large memory allocations The function tag_ape_load() retrieves a 32 bit unsigned integer from the input file, and passes it to g_malloc(). This is dangerous, and may be used for a denial of service attack on MPD. --- NEWS | 1 + src/tag_ape.c | 3 +++ 2 files changed, 4 insertions(+) diff --git a/NEWS b/NEWS index 66ad2cfed..8e2c59b78 100644 --- a/NEWS +++ b/NEWS @@ -1,6 +1,7 @@ ver 0.15.2 (2009/??/??) * tags: - ape: check the tag size (fixes integer underflow) + - ape: added protection against large memory allocations ver 0.15.1 (2009/07/15) diff --git a/src/tag_ape.c b/src/tag_ape.c index ef921141b..7cbf32208 100644 --- a/src/tag_ape.c +++ b/src/tag_ape.c @@ -89,6 +89,9 @@ tag_ape_load(const char *file) tagLen = GUINT32_FROM_LE(footer.length); if (tagLen <= sizeof(footer) + 10) goto fail; + if (tagLen > 1024 * 1024) + /* refuse to load more than one megabyte of tag data */ + goto fail; if (fseek(fp, size - tagLen, SEEK_SET)) goto fail;