42 lines
1.5 KiB
Diff
42 lines
1.5 KiB
Diff
From 4f583ff12989f7cea1f81bd2751c321030f1bdbf Mon Sep 17 00:00:00 2001
|
|
From: =?UTF-8?q?Hubert=20Figui=C3=A8re?= <hub@figuiere.net>
|
|
Date: Sun, 28 Jul 2019 10:15:19 -0400
|
|
Subject: [PATCH] (CVE-2020-18651) Issue #13 - Fix a buffer a overflow in ID3
|
|
support
|
|
|
|
https://gitlab.freedesktop.org/libopenraw/exempi/issues/13
|
|
(cherry picked from commit fdd4765a699f9700850098b43b9798b933acb32f)
|
|
---
|
|
XMPFiles/source/FormatSupport/ID3_Support.cpp | 8 ++++++++
|
|
1 file changed, 8 insertions(+)
|
|
|
|
diff --git a/XMPFiles/source/FormatSupport/ID3_Support.cpp b/XMPFiles/source/FormatSupport/ID3_Support.cpp
|
|
index dd19c16..4619079 100644
|
|
--- a/XMPFiles/source/FormatSupport/ID3_Support.cpp
|
|
+++ b/XMPFiles/source/FormatSupport/ID3_Support.cpp
|
|
@@ -669,6 +669,10 @@ bool ID3v2Frame::getFrameValue ( XMP_Uns8 majorVersion, XMP_Uns32 logicalID, std
|
|
std::string tmp ( this->content, this->contentSize );
|
|
bool bigEndian = true; // assume for now (if no BOM follows)
|
|
|
|
+ if (pos + 2 > this->contentSize) {
|
|
+ // No enough for the string
|
|
+ break;
|
|
+ }
|
|
if ( GetUns16BE ( &this->content[pos] ) == 0xFEFF ) {
|
|
pos += 2;
|
|
bigEndian = true;
|
|
@@ -686,6 +690,10 @@ bool ID3v2Frame::getFrameValue ( XMP_Uns8 majorVersion, XMP_Uns32 logicalID, std
|
|
{
|
|
if ( commMode && (! advancePastCOMMDescriptor ( pos )) ) return false; // not a frame of interest!
|
|
|
|
+ if (pos + 4 > this->contentSize) {
|
|
+ // No enough for the string
|
|
+ break;
|
|
+ }
|
|
if ( (GetUns32BE ( &this->content[pos]) & 0xFFFFFF00 ) == 0xEFBBBF00 ) {
|
|
pos += 3; // swallow any BOM, just in case
|
|
}
|
|
--
|
|
2.41.0
|
|
|