Package: libtag1
Version: 1.3.1-1
Severity: normal
Tags: patch
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
If libtag1 (or taglib) is used to read large ogg vorbis user comments,
it crashes, if the comment is not fully contained in the ByteVector read
by the TagLib::Ogg:XiphComment::parse(ByteVector) method.
I stored the lyrics of some music titles in the ogg vorbis comment
section. Some of these lyrics are around a hundred lines. During
opening these files with applications that use libtag1 for tag reading
(like juk and amarok), the application or at least a part of it crashed.
Here's the vorbiscomment output of one of these files:
artist=alicia keys
album=the diary of alicia keys
title=you don't know my name
date=2003
genre=r&b
tracknumber=05
cdrom-reading=cdparanoia --never-skip
encoding=oggenc -q8
encoded-by=daniel schoemer
encoding-date=thu, 07 apr 2005 12:06:55 +0200
lyrics_01=Baby, baby, baby from the day I saw you
lyrics_02=I really, really wanted to catch your eye
lyrics_03=There's something special 'bout you
lyrics_04=I must really like you
lyrics_05='Cause not a lot of guys are worth my time
lyrics_06=Ooh baby, baby, baby
lyrics_07=It's getting kinda crazy
lyrics_08='Cause you are taking over my mind
lyrics_09=
lyrics_10=And it feels like
lyrics_11=Ooh, ooh, ooh
lyrics_12=You don't know my name
lyrics_13=I swear
lyrics_14=It feels like
lyrics_15=Ooh, ooh, ooh
lyrics_16=You don't know my name
lyrics_17=Round and round and round we go
lyrics_18=Will you ever know?
lyrics_19=
lyrics_20=Oh, baby, baby, baby
lyrics_21=I see us on our first date
lyrics_22=You doing everything that makes me smile and when we had our first
kiss
lyrics_23=It happened on a Thursday
lyrics_24=Oh, it set my soul on fire
lyrics_25=Oh, baby, baby, baby
lyrics_26=I can't wait for the first time, my imagination's running wild
lyrics_27=
lyrics_28=And it feels like
lyrics_29=Ooh, ooh, ooh
lyrics_30=You don't know my name
lyrics_31=I swear
lyrics_32=It feels like
lyrics_33=Ooh, ooh, ooh
lyrics_34=You don't know my name
lyrics_35=Round and round and round we go
lyrics_36=Will you ever know?
lyrics_37=
lyrics_38=I'm saying, "He don't even know what he's doing to me
lyrics_39=Got me feeling all crazy inside
lyrics_40=I'm feeling like whoa!"
lyrics_41=I'm doing nothing I've never done for anyone's attention
lyrics_42=Take notice of what's in front of you cause did I mention?
lyrics_43=Whoa, you about to miss a good thing
lyrics_44=And you'll never know how good it feels to have all of my affection
lyrics_45=And you'll never get a chance to experience my loving, whoa
lyrics_46='Cause my loving feels like
lyrics_47=
lyrics_48=Ooh, ooh, ooh
lyrics_49=You don't know my name
lyrics_50=Round and round and round we go
lyrics_51=Will you ever know?
lyrics_52=Ooh, ooh, ooh
lyrics_53=You don't know my name
lyrics_54=Round and round and round we go
lyrics_55=Will you ever know?
lyrics_56=Will you ever know it? No, no, no, no, no
lyrics_57=Will you ever know it?
lyrics_58=
lyrics_59=Well I'm a'have to just go head and call this boy:
lyrics_60="Hello? Can I speak to, to Michael?
lyrics_61=Oh, hey how you doing?
lyrics_62=I feel kinna silly doin this but uh,
lyrics_63=this is the waitress at the coffee house on 39th and Lenox,
lyrics_64=you know that, one with the braids?
lyrics_65=Yeah, well I see you on Wednesdays all the time,
lyrics_66=you come in every Wednesday on your lunch break, I think,
lyrics_67=and you always order the special, with the hot chocolate.
lyrics_68=My manager be tripping, talking about we gotta use water,
lyrics_69=but I always use some milk and cream for you, cause I think you
kinda sweet.
lyrics_70=Anyway, you always got on some fly blue suit and your cufflinks is
shining all bright.
lyrics_71=So what you do? Oh word?
lyrics_72=Yeah that's interesting.
lyrics_73=Look man I don't wanna waste your time but I know girls don't
usually do this,
lyrics_74=but I was wondering if maybe we could get together outside the
restaurant one day?
lyrics_75=You know cause I do look a little different outside my work clothes.
lyrics_76=I mean we could just go across the street to the park right yeah.
lyrics_77=Wait, hold up my... my cell phone, breaking up, hold up, can you
hear me now?
lyrics_78=Yeah, so what day did you say?
lyrics_79=Oh yeah, Thursday, perfect man!
lyrics_80=
lyrics_81=And it feels like
lyrics_82=Ooh, ooh, ooh
lyrics_83=You don't know my name
lyrics_84=I swear
lyrics_85=It feels like
lyrics_86=Ooh, ooh, ooh
lyrics_87=You don't know my name
lyrics_88=Round and round and round we go
lyrics_89=Will you ever know?
lyrics_90=
lyrics_91=And it feels like
lyrics_92=Ooh, ooh, ooh
lyrics_93=You don't know my name
lyrics_94=I swear
lyrics_95=It feels like
lyrics_96=Ooh, ooh, ooh
lyrics_97=You don't know my name
lyrics_98=Round and round and round we go
lyrics_99=Will you ever know?
replaygain_track_peak=1.02075815
replaygain_track_gain=-6.99 db
replaygain_album_peak=1.08579028
replaygain_album_gain=-6.86 db
cddb=0xe40fae10
The tag 'lyrics_92' is no more completely contained in the ByteVector
read by TagLib::Ogg:XiphComment::parse(ByteVector) and there is no check
if the position to read is valid for the ByteVector. The patch below
adds a very simple patch for this. If the comment to read is not
completely contained in the ByteVector, the for-loop and comment-parsing
is just stopped. This is far from a perfect solution, but the method at
least doesn't crash anymore for large comments.
- -- System Information:
Debian Release: 3.1
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.8-2-k7
Locale: [EMAIL PROTECTED], [EMAIL PROTECTED] (charmap=ISO-8859-15)
Versions of packages libtag1 depends on:
ii libc6 2.3.2.ds1-21 GNU C Library: Shared libraries an
ii libgcc1 1:3.4.3-9 GCC support library
ii libstdc++5 1:3.3.5-8 The GNU Standard C++ Library v3
ii zlib1g 1:1.2.2-4 compression library - runtime
- -- no debconf information
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
iD8DBQFCos3xrlGl+fr1ZdMRAmNjAJ4iyUfVwnORh/Mv2eOfq2vGAnehDwCg5Lj8
M8/NLtlYWA4g+Zd7kE5m9tQ=
=tzF4
-----END PGP SIGNATURE-----
diff -dNru taglib-1.3.1.orig/taglib/ogg/xiphcomment.cpp taglib-1.3.1/taglib/ogg/xiphcomment.cpp
--- taglib-1.3.1.orig/taglib/ogg/xiphcomment.cpp 2004-05-13 02:29:48.000000000 +0200
+++ taglib-1.3.1/taglib/ogg/xiphcomment.cpp 2005-06-05 10:52:59.502109832 +0200
@@ -277,9 +277,13 @@
// Each comment field is in the format "KEY=value" in a UTF8 string and has
// 4 bytes before the text starts that gives the length.
- int commentLength = data.mid(pos, 4).toUInt(false);
+ uint commentLength = data.mid(pos, 4).toUInt(false);
pos += 4;
+ if (data.size() <= (pos + commentLength) ) {
+ break;
+ }
+
String comment = String(data.mid(pos, commentLength), String::UTF8);
pos += commentLength;
