From 0ee65975fd15949fd934fe287246d676b34244ba Mon Sep 17 00:00:00 2001 From: Ozkan Sezer Date: Wed, 11 Dec 2019 18:56:50 +0300 Subject: [PATCH] mp3utils.c (musicmatch): add a sanity check and another paranoid check. --- src/codecs/mp3utils.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/src/codecs/mp3utils.c b/src/codecs/mp3utils.c index 94296d1b..2c46085a 100644 --- a/src/codecs/mp3utils.c +++ b/src/codecs/mp3utils.c @@ -219,11 +219,11 @@ static SDL_INLINE long get_musicmatch_len(struct mp3file_t *m) { Sint32 i, j, imgext_ofs, version_ofs; long len; - /* calc. the image extension section ofs */ MP3_RWseek(m, -68, RW_SEEK_END); MP3_RWread(m, buf, 1, 20); imgext_ofs = (Sint32)((buf[3] <<24) | (buf[2] <<16) | (buf[1] <<8) | buf[0] ); version_ofs = (Sint32)((buf[15]<<24) | (buf[14]<<16) | (buf[13]<<8) | buf[12]); + if (version_ofs <= imgext_ofs) return -1; /* Try finding the version info section: * Because metadata section comes after it, and because metadata section * has different sizes across versions (format ver. <= 3.00: always 7868 @@ -256,8 +256,15 @@ static SDL_INLINE long get_musicmatch_len(struct mp3file_t *m) { #endif len += (version_ofs - imgext_ofs); if (m->length < len) return -1; - if (m->length < len + 256) return len; + #ifdef MMTAG_PARANOID + MP3_RWseek(m, -len, RW_SEEK_END); + MP3_RWread(m, buf, 1, 8); + j = (Sint32)((buf[7] <<24) | (buf[6] <<16) | (buf[5] <<8) | buf[4]); + /* verify image size: */ + if (j + 12 != version_ofs - imgext_ofs) return -1; + #endif /* try finding the optional header */ + if (m->length < len + 256) return len; MP3_RWseek(m, -(len + 256), RW_SEEK_END); MP3_RWread(m, buf, 1, 256); /* [0..9]: sync string, [30..255]: 0x20 */