From 4bb83781e8b131737cf1de9d861757558b3839ea Mon Sep 17 00:00:00 2001
From: Max Kellermann <max@musicpd.org>
Date: Sun, 19 Feb 2017 19:11:04 +0100
Subject: [PATCH] output/httpd/IcyMetaDataServer: cast length to unsigned

Fixes another buffer overflow: if the stream has a very long title or
URL, resulting in a metadata string of more than 2 kB, icy_string[0]
is a negative value, which gets casted to size_t - ouch!

 https://bugs.musicpd.org/view.php?id=4652
---
 NEWS                                           | 2 ++
 src/output/plugins/httpd/IcyMetaDataServer.cxx | 2 +-
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/NEWS b/NEWS
index 1fcae0d6d..967bd68f1 100644
--- a/NEWS
+++ b/NEWS
@@ -3,6 +3,8 @@ ver 0.20.5 (not yet released)
   - id3: fix memory leak on corrupt ID3 tags
 * decoder
   - sidplay: don't require libsidutils when building with libsidplayfp
+* output
+  - httpd: fix two buffer overflows in IcyMetaData length calculation
 * mixer
   - alsa: fix crash bug
 
diff --git a/src/output/plugins/httpd/IcyMetaDataServer.cxx b/src/output/plugins/httpd/IcyMetaDataServer.cxx
index fbcd07054..a81d2850a 100644
--- a/src/output/plugins/httpd/IcyMetaDataServer.cxx
+++ b/src/output/plugins/httpd/IcyMetaDataServer.cxx
@@ -113,5 +113,5 @@ icy_server_metadata_page(const Tag &tag, const TagType *types)
 	if (icy_string.IsNull())
 		return nullptr;
 
-	return Page::Copy(icy_string.c_str(), (icy_string[0] * 16) + 1);
+	return Page::Copy(icy_string.c_str(), uint8_t(icy_string[0]) * 16 + 1);
 }