2
# Description: Fix Code execution via multiple integer overflows and array
3
# index errors in the metadata parser for audible files.
4
# Patch: http://websvn.kde.org/?view=rev&revision=908415
7
Index: amarok-1.4.10/amarok/src/metadata/audible/audibletag.cpp
8
===================================================================
9
--- amarok-1.4.10.orig/amarok/src/metadata/audible/audibletag.cpp 2008-08-13 23:21:51.000000000 +0200
10
+++ amarok-1.4.10/amarok/src/metadata/audible/audibletag.cpp 2009-01-18 23:16:28.000000000 +0100
14
fseek(fp, OFF_PRODUCT_ID, SEEK_SET);
15
- fread(buf, strlen("product_id"), 1, fp);
16
+ if (fread(buf, strlen("product_id"), 1, fp) != 1)
18
if(memcmp(buf, "product_id", strlen("product_id")))
23
bool Audible::Tag::readTag( FILE *fp, char **name, char **value)
25
+ // arbitrary value that has to be smaller than 2^32-1 and that should be large enough for all tags
26
+ const uint32_t maxtaglen = 100000;
29
- fread(&nlen, sizeof(nlen), 1, fp);
30
+ if (fread(&nlen, sizeof(nlen), 1, fp) != 1)
33
//fprintf(stderr, "tagname len=%x\n", (unsigned)nlen);
34
- *name = new char[nlen+1];
35
- (*name)[nlen] = '\0';
36
+ if (nlen > maxtaglen)
40
- fread(&vlen, sizeof(vlen), 1, fp);
41
+ if (fread(&vlen, sizeof(vlen), 1, fp) != 1)
44
//fprintf(stderr, "tag len=%x\n", (unsigned)vlen);
45
+ if (vlen > maxtaglen)
48
+ *name = new char[nlen+1];
52
*value = new char[vlen+1];
60
+ (*name)[nlen] = '\0';
61
(*value)[vlen] = '\0';
63
- fread(*name, nlen, 1, fp);
64
- fread(*value, vlen, 1, fp);
65
+ if (fread(*name, nlen, 1, fp) != 1)
73
+ if (fread(*value, vlen, 1, fp) != 1)
82
- fread(&lasttag, 1, 1, fp);
83
+ if (fread(&lasttag, 1, 1, fp) != 1)
91
//fprintf(stderr, "%s: \"%s\"\n", *name, *value);
93
m_tagsEndOffset += 2 * 4 + nlen + vlen + 1;