tag/ApeLoader: fix buffer overflow after unterminated key

2015-10-16 14:40:46 +02:00 · 2015-10-16 14:40:46 +02:00 · 205fba74cf
parent a9bcf8d50d
commit 205fba74cf
2 changed files with 8 additions and 6 deletions
--- a/2
+++ b/2
@ -1,4 +1,6 @@
 ver 0.19.11 (not yet released)
+* tags
+  - ape: fix buffer overflow

 ver 0.19.10 (2015/06/21)
 * input
--- a/src/tag/ApeLoader.cxx
+++ b/src/tag/ApeLoader.cxx
@ -78,12 +78,12 @@ ape_scan_internal(FILE *fp, ApeTagCallback callback)

 		/* get the key */
 		const char *key = p;
-		while (remaining > size && *p != '\0') {
-			p++;
-			remaining--;
-		}
-		p++;
-		remaining--;
+		const char *key_end = (const char *)memchr(p, '\0', remaining);
+		if (key_end == nullptr)
+			break;
+
+		p = key_end + 1;
+		remaining -= p - key;

 		/* get the value */
 		if (remaining < size)