tag_ape: removed redundant length check

Extend the tagLen check after reading it.  Removed the second
(redundant) check after the subtraction.
This commit is contained in:
Max Kellermann 2009-07-19 17:37:02 +02:00
parent a988b9b025
commit e3ff0ab6d1

View File

@ -22,6 +22,7 @@
#include <glib.h> #include <glib.h>
#include <assert.h>
#include <stdio.h> #include <stdio.h>
struct tag * struct tag *
@ -86,15 +87,15 @@ tag_ape_load(const char *file)
/* find beginning of ape tag */ /* find beginning of ape tag */
tagLen = GUINT32_FROM_LE(footer.length); tagLen = GUINT32_FROM_LE(footer.length);
if (tagLen < sizeof(footer)) if (tagLen <= sizeof(footer) + 10)
goto fail; goto fail;
if (fseek(fp, size - tagLen, SEEK_SET)) if (fseek(fp, size - tagLen, SEEK_SET))
goto fail; goto fail;
/* read tag into buffer */ /* read tag into buffer */
tagLen -= sizeof(footer); tagLen -= sizeof(footer);
if (tagLen <= 0) assert(tagLen > 10);
goto fail;
buffer = g_malloc(tagLen); buffer = g_malloc(tagLen);
if (fread(buffer, 1, tagLen, fp) != tagLen) if (fread(buffer, 1, tagLen, fp) != tagLen)
goto fail; goto fail;