ape: check the tag size (fixes integer underflow)
The expression "tagLen - size > 0" may result in an integer underflow and a buffer overflow, when "size" is larger than "tagLen". "size" is read from the input file, and must not be trusted. This patch changes the expression to "tagLen > size", which is a lot safer.
This commit is contained in:
Max Kellermann
parent
c8c91d9aaa
commit
a988b9b025
2
NEWS
2
NEWS
|
|
@ -1,4 +1,6 @@
|
||||||
ver 0.15.2 (2009/??/??)
|
ver 0.15.2 (2009/??/??)
|
||||||
|
* tags:
|
||||||
|
- ape: check the tag size (fixes integer underflow)
|
||||||
|
|
||||||
|
|
||||||
ver 0.15.1 (2009/07/15)
|
ver 0.15.1 (2009/07/15)
|
||||||
|
|
|
||||||
|
|
@ -112,7 +112,7 @@ tag_ape_load(const char *file)
|
||||||
|
|
||||||
/* get the key */
|
/* get the key */
|
||||||
key = p;
|
key = p;
|
||||||
while (tagLen - size > 0 && *p != '\0') {
|
while (tagLen > size && *p != '\0') {
|
||||||
p++;
|
p++;
|
||||||
tagLen--;
|
tagLen--;
|
||||||
}
|
}
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue