tag/ApeLoader: fix buffer overflow after unterminated key

205fba74 · Max Kellermann · a9bcf8d5 · 205fba74 · 205fba74
Commit 205fba74 authored Oct 16, 2015 by Max Kellermann
Hide whitespace changes
Inline Side-by-side

Showing with 8 additions and 6 deletions

NEWS NEWS +2 -0

ApeLoader.cxx src/tag/ApeLoader.cxx +6 -6

No files found.
--- a/NEWS
+++ b/NEWS
 ver 0.19.11 (not yet released)
+* tags
+  - ape: fix buffer overflow
 ver 0.19.10 (2015/06/21)
 * input

--- a/src/tag/ApeLoader.cxx
+++ b/src/tag/ApeLoader.cxx
@@ -78,12 +78,12 @@ ape_scan_internal(FILE *fp, ApeTagCallback callback)
 		/* get the key */
 		const char *key = p;
-		while (remaining > size && *p != '\0') {
+		const char *key_end = (const char *)memchr(p, '\0', remaining);
-			p++;
+		if (key_end == nullptr)
-			remaining--;
+			break;
-		}
-		p++;
+		p = key_end + 1;
-		remaining--;
+		remaining -= p - key;
 		/* get the value */
 		if (remaining < size)