Commit 516a7ad4 authored by Erik de Castro Lopo's avatar Erik de Castro Lopo
Browse files

flac/metaflac: Limit the size of metadata blocks

Limit allow image file size to slightly less than 2^24 bytes so that
the file size plus extra house keeping data is strictly less that
2^24 bytes in size.

Patch-from: lvqcl <lvqcl.mail@gmail.com>
parent cf0a6ec7
......@@ -1799,9 +1799,6 @@ FLAC_API FLAC__bool FLAC__metadata_object_picture_set_data(FLAC__StreamMetadata
FLAC__ASSERT(object->type == FLAC__METADATA_TYPE_PICTURE);
FLAC__ASSERT((0 != data && length > 0) || (0 == data && length == 0 && copy == false));
if(length >= (1u << FLAC__STREAM_METADATA_LENGTH_LEN))
return false;
old = object->data.picture.data;
/* do the copy first so that if we fail we leave the object untouched */
......
......@@ -287,7 +287,7 @@ static const char * read_file (const char * filepath, FLAC__StreamMetadata * obj
if (size < 0)
return error_messages[5];
if (size >= (1u << FLAC__STREAM_METADATA_LENGTH_LEN))
if (size >= (1u << FLAC__STREAM_METADATA_LENGTH_LEN)) /* actual limit is less because of other fields in the PICTURE metadata block */
return error_messages[11];
if ((buffer = safe_malloc_(size)) == NULL)
......@@ -313,6 +313,9 @@ static const char * read_file (const char * filepath, FLAC__StreamMetadata * obj
/* try to extract resolution/color info if user left it blank */
else if ((obj->data.picture.width == 0 || obj->data.picture.height == 0 || obj->data.picture.depth == 0) && !local__extract_resolution_color_info_(&obj->data.picture))
error_message = error_messages[4];
/* check metadata block size */
else if (obj->length >= (1u << FLAC__STREAM_METADATA_LENGTH_LEN))
error_message = error_messages[11];
return error_message;
}
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment