metadata/flac.c fix potential buffer overrun

Change-Id: Iee12f251455c4fda9d91d10e466d17e5e02046b9
2021-08-01 22:55:28 -04:00 · 2021-08-01 22:55:28 -04:00 · 0501af8b06
commit 0501af8b06
parent 247731fe8c
1 changed files with 12 additions and 0 deletions
--- a/lib/rbcodec/metadata/flac.c
+++ b/lib/rbcodec/metadata/flac.c
@ -125,13 +125,25 @@ bool get_flac_metadata(int fd, struct mp3entry* id3)
                id3->albumart.pos = lseek(fd, 0, SEEK_CUR);

                int bytes_read = read(fd, buf, buf_size);
+                buf[buf_size-1] = '\0';
                i -= bytes_read;
+                if (bytes_read <= picframe_pos + 4) /* get_long_be expects 4 chars */
+                {
+                    logf("flac picture length invalid!");
+                    return false;
+                }

                mime_length = get_long_be(&buf[picframe_pos]);

                char *mime = buf + picframe_pos + 4;
                picframe_pos +=  4 + mime_length;

+                if (bytes_read < picframe_pos)
+                {
+                    logf("flac picture length invalid!");
+                    return false;
+                }
+
                id3->albumart.type = AA_TYPE_UNKNOWN;
                if (memcmp(mime, "image/", 6) == 0)
                {