From 35db88affe5d158c1bfda46e4cd0f8c69db4426d Mon Sep 17 00:00:00 2001
From: Jan Brittenson <bson@rockgarden.net>
Date: Mon, 22 Dec 2014 22:26:55 -0800
Subject: [PATCH] DSF ID3 tags hitting 4k size limit

Here's a change to dynamically allocate the DSD ID3 tag buffer.
Pretty much anything with cover art is going to exceed the existing,
static 4k limit...  Here's a change to dynamically allocate the buffer
and sanity check it at some upper limit.  I rather arbitrarily pulled
256k out of thin air just to keep a corrupt file from causing it to
trying to allocate a buffer larger than available memory.
---
 NEWS                           |  2 ++
 src/decoder/plugins/DsdLib.cxx | 20 +++++++++++++-------
 2 files changed, 15 insertions(+), 7 deletions(-)

diff --git a/NEWS b/NEWS
index d33d600d0..54e04ab9a 100644
--- a/NEWS
+++ b/NEWS
@@ -1,4 +1,6 @@
 ver 0.19.8 (not yet released)
+* decoder
+  - dsdiff, dsf: allow ID3 tags larger than 4 kB
 
 ver 0.19.7 (2014/12/17)
 * input
diff --git a/src/decoder/plugins/DsdLib.cxx b/src/decoder/plugins/DsdLib.cxx
index 8892ed387..0436b9c3f 100644
--- a/src/decoder/plugins/DsdLib.cxx
+++ b/src/decoder/plugins/DsdLib.cxx
@@ -29,6 +29,7 @@
 #include "input/InputStream.hxx"
 #include "tag/TagId3.hxx"
 #include "util/Error.hxx"
+#include "util/Alloc.hxx"
 
 #include <string.h>
 
@@ -123,22 +124,27 @@ dsdlib_tag_id3(InputStream &is,
 
 	const id3_length_t count = size - offset;
 
-	/* Check and limit id3 tag size to prevent a stack overflow */
-	id3_byte_t dsdid3[4096];
-	if (count == 0 || count > sizeof(dsdid3))
+	if (count < 10 || count > 256*1024)
 		return;
 
-	if (!decoder_read_full(nullptr, is, dsdid3, count))
-		return;
+	id3_byte_t *const id3_buf = static_cast<id3_byte_t*>(xalloc(count));
 
-	struct id3_tag *id3_tag = id3_tag_parse(dsdid3, count);
-	if (id3_tag == nullptr)
+	if (!decoder_read_full(nullptr, is, id3_buf, count)) {
+		free(id3_buf);
 		return;
+	}
+
+	struct id3_tag *id3_tag = id3_tag_parse(id3_buf, count);
+	if (id3_tag == nullptr) {
+		free(id3_buf);
+		return;
+	}
 
 	scan_id3_tag(id3_tag, handler, handler_ctx);
 
 	id3_tag_delete(id3_tag);
 
+	free(id3_buf);
 	return;
 }
 #endif