From 976fdd76c1c2213ed89e69d3b1ef8378f1cacbf5 Mon Sep 17 00:00:00 2001
From: Max Kellermann <max@duempel.org>
Date: Sun, 6 Mar 2016 23:26:48 +0100
Subject: [PATCH] decoder/opus: limit tag size to 64 kB

---
 NEWS                               | 2 ++
 src/decoder/plugins/OpusReader.hxx | 2 +-
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/NEWS b/NEWS
index cf3e788fc..416af1159 100644
--- a/NEWS
+++ b/NEWS
@@ -1,4 +1,6 @@
 ver 0.19.14 (not yet released)
+* decoder
+  - opus: limit tag size to 64 kB
 * fix build failures on non-glibc builds due to constexpr Mutex
 
 ver 0.19.13 (2016/02/23)
diff --git a/src/decoder/plugins/OpusReader.hxx b/src/decoder/plugins/OpusReader.hxx
index c5b8e9107..219f3f42a 100644
--- a/src/decoder/plugins/OpusReader.hxx
+++ b/src/decoder/plugins/OpusReader.hxx
@@ -85,7 +85,7 @@ public:
 
 	char *ReadString() {
 		uint32_t length;
-		if (!ReadWord(length))
+		if (!ReadWord(length) || length >= 65536)
 			return nullptr;
 
 		const char *src = (const char *)Read(length);