ape: added protection against large memory allocations

The function tag_ape_load() retrieves a 32 bit unsigned integer from the input file, and passes it to g_malloc(). This is dangerous, and may be used for a denial of service attack on MPD.

ape: added protection against large memory allocations
0ce727d5 · Max Kellermann · e3ff0ab6 · 0ce727d5 · 0ce727d5
Commit 0ce727d5 authored Jul 19, 2009 by Max Kellermann
Show whitespace changes
Inline Side-by-side

Showing with 4 additions and 0 deletions

NEWS NEWS +1 -0

tag_ape.c src/tag_ape.c +3 -0

No files found.
--- a/NEWS
+++ b/NEWS
 ver 0.15.2 (2009/??/??)
 * tags:
  - ape: check the tag size (fixes integer underflow)
+  - ape: added protection against large memory allocations


 ver 0.15.1 (2009/07/15)

--- a/src/tag_ape.c
+++ b/src/tag_ape.c
@@ -89,6 +89,9 @@ tag_ape_load(const char *file)
 	tagLen = GUINT32_FROM_LE(footer.length);
 	if (tagLen <= sizeof(footer) + 10)
 		goto fail;
+	if (tagLen > 1024 * 1024)
+		/* refuse to load more than one megabyte of tag data */
+		goto fail;
 	if (fseek(fp, size - tagLen, SEEK_SET))
 		goto fail;