vlc | branch: master | Fargier Sylvain <[email protected]> | Tue Sep 14 00:24:48 2010 +0200| [639c195bf4a6e89e32042663857165b7eb05b33b] | committer: Rémi Duraffort
Fix out of range memory access when APIC frame type is out of the range defined in the ID3v2 specification (corrupted tag or vendor defined). Signed-off-by: Fargier Sylvain <[email protected]> Signed-off-by: Rémi Duraffort <[email protected]> > http://git.videolan.org/gitweb.cgi/vlc.git/?a=commit;h=639c195bf4a6e89e32042663857165b7eb05b33b --- modules/meta_engine/taglib.cpp | 9 +++++++-- 1 files changed, 7 insertions(+), 2 deletions(-) diff --git a/modules/meta_engine/taglib.cpp b/modules/meta_engine/taglib.cpp index e1e03fb..33866d0 100644 --- a/modules/meta_engine/taglib.cpp +++ b/modules/meta_engine/taglib.cpp @@ -200,6 +200,7 @@ static void ReadMetaFromId3v2( ID3v2::Tag* tag, demux_t* p_demux, demux_meta_t* 3, /* Logo of the band or performer. */ 2 /* Logo of the publisher (record company). */ }; + #define PI_COVER_SCORE_SIZE (sizeof (pi_cover_score) / sizeof (pi_cover_score[0])) int i_score = -1; // Try now to get embedded art @@ -261,9 +262,13 @@ static void ReadMetaFromId3v2( ID3v2::Tag* tag, demux_t* p_demux, demux_meta_t* p_attachment ); free( psz_description ); - if( pi_cover_score[p_apic->type()] > i_score ) + unsigned i_pic_type = p_apic->type(); + if( i_pic_type >= PI_COVER_SCORE_SIZE ) + i_pic_type = 0; // Defaults to "Other" + + if( pi_cover_score[i_pic_type] > i_score ) { - i_score = pi_cover_score[p_apic->type()]; + i_score = pi_cover_score[i_pic_type]; char *psz_url; if( asprintf( &psz_url, "attachment://%s", p_attachment->psz_name ) == -1 ) _______________________________________________ vlc-commits mailing list [email protected] http://mailman.videolan.org/listinfo/vlc-commits
