ape: check the tag size (fixes integer underflow)

The expression "tagLen - size > 0" may result in an integer underflow and a buffer overflow, when "size" is larger than "tagLen". "size" is read from the input file, and must not be trusted. This patch changes the expression to "tagLen > size", which is a lot safer.

ape: check the tag size (fixes integer underflow)
a988b9b0 · Max Kellermann · c8c91d9a · a988b9b0 · a988b9b0
Commit a988b9b0 authored Jul 18, 2009 by Max Kellermann
Hide whitespace changes
Inline Side-by-side

Showing with 3 additions and 1 deletion

NEWS NEWS +2 -0

tag_ape.c src/tag_ape.c +1 -1

No files found.
--- a/NEWS
+++ b/NEWS
 ver 0.15.2 (2009/??/??)
+* tags:
+  - ape: check the tag size (fixes integer underflow)


 ver 0.15.1 (2009/07/15)

--- a/src/tag_ape.c
+++ b/src/tag_ape.c
@@ -112,7 +112,7 @@ tag_ape_load(const char *file)

 		/* get the key */
 		key = p;
-		while (tagLen - size > 0 && *p != '\0') {
+		while (tagLen > size && *p != '\0') {
 			p++;
 			tagLen--;
 		}