ref: 88377fc82f0f0feb34798813a7f5fccb8c1941b6
parent: abdb62608209861e52798c1225d8779c5cd96196
author: Sigrid Solveig Haflínudóttir <sigrid@ftrv.se>
date: Mon Mar 4 13:53:51 EST 2024
libtags: fix multiple issues found by fuzzing
--- a/sys/src/cmd/audio/libtags/flac.c
+++ b/sys/src/cmd/audio/libtags/flac.c
@@ -45,7 +45,7 @@
sz -= 8;
n = beuint(&d[4]);
mime = ctx->buf+20;
- if(n >= sz || n >= ctx->bufsz-1 || ctx->read(ctx, mime, n) != n)
+ if(n >= sz || n >= ctx->bufsz-20 || ctx->read(ctx, mime, n) != n)
return -1;
sz -= n;
mime[n] = 0;
--- a/sys/src/cmd/audio/libtags/id3v2.c
+++ b/sys/src/cmd/audio/libtags/id3v2.c
@@ -35,7 +35,7 @@
for(; v[0]; v++){ if(v[0] == '(' && v[1] <= '9' && v[1] >= '0'){int i = atoi(&v[1]);
- if(i < Numgenre)
+ if(i >= 0 && i < Numgenre)
txtcb(ctx, Tgenre, k-1, id3genres[i]);
for(v++; v[0] && v[0] != ')'; v++);
v--;
--- a/sys/src/cmd/audio/libtags/m4a.c
+++ b/sys/src/cmd/audio/libtags/m4a.c
@@ -19,7 +19,7 @@
sz = beuint(d) - 4; /* already have 8 bytes */
for(;;){- if(ctx->seek(ctx, sz, 1) < 0)
+ if(sz < 0 || ctx->seek(ctx, sz, 1) < 0)
return -1;
if(ctx->read(ctx, d, 4) != 4) /* size */
break;
@@ -58,6 +58,8 @@
return -1;
sz -= 8;
skip = beuint(d) - 8;
+ if(skip < 0)
+ return -1;
if(memcmp(&d[4], "mp4a", 4) == 0){ /* audio */n = 6+2 + 2+4+2 + 2+2 + 2+2 + 4; /* read a bunch at once */
--- a/sys/src/cmd/audio/libtags/opus.c
+++ b/sys/src/cmd/audio/libtags/opus.c
@@ -53,7 +53,7 @@
if(pgend < ctx->seek(ctx, 0, 1)+sz)
break;
- if(ctx->bufsz < sz+1){+ if(sz > ctx->bufsz-1){if(ctx->seek(ctx, sz, 1) < 0)
return -1;
continue;
--- a/sys/src/cmd/audio/libtags/vorbis.c
+++ b/sys/src/cmd/audio/libtags/vorbis.c
@@ -97,7 +97,7 @@
if(pgend < ctx->seek(ctx, 0, 1)+sz)
break;
- if(ctx->bufsz < sz+1){+ if(sz > ctx->bufsz-1){if(ctx->seek(ctx, sz, 1) < 0)
return -1;
continue;