From a988b9b0259e7d0b1090913087369dd504cd0f45 Mon Sep 17 00:00:00 2001
From: Max Kellermann <max@duempel.org>
Date: Sat, 18 Jul 2009 22:45:56 +0200
Subject: [PATCH] ape: check the tag size (fixes integer underflow)

The expression "tagLen - size > 0" may result in an integer underflow
and a buffer overflow, when "size" is larger than "tagLen".  "size" is
read from the input file, and must not be trusted.  This patch changes
the expression to "tagLen > size", which is a lot safer.
---
 NEWS          | 2 ++
 src/tag_ape.c | 2 +-
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/NEWS b/NEWS
index d6da68e72..66ad2cfed 100644
--- a/NEWS
+++ b/NEWS
@@ -1,4 +1,6 @@
 ver 0.15.2 (2009/??/??)
+* tags:
+  - ape: check the tag size (fixes integer underflow)
 
 
 ver 0.15.1 (2009/07/15)
diff --git a/src/tag_ape.c b/src/tag_ape.c
index d1249fcb2..0d504dc7d 100644
--- a/src/tag_ape.c
+++ b/src/tag_ape.c
@@ -112,7 +112,7 @@ tag_ape_load(const char *file)
 
 		/* get the key */
 		key = p;
-		while (tagLen - size > 0 && *p != '\0') {
+		while (tagLen > size && *p != '\0') {
 			p++;
 			tagLen--;
 		}