ref: bde4a1f41cd7f6af7123cc9ed443134e1e84dbe2
parent: 10f28719ce4e3efef7b237fa2f8a339c50a44b7b
author: rrt <rrt>
date: Mon Mar 26 15:31:45 EDT 2007
Guard against numeric & hence buffer overflow when reading comment
--- a/src/aiff.c
+++ b/src/aiff.c
@@ -23,6 +23,7 @@
#include <string.h>
#include <stdio.h>
#include <errno.h>
+#include <limits.h>
#ifdef HAVE_UNISTD_H
#include <unistd.h> /* For SEEK_* defines if not found in stdio */
#endif
@@ -562,6 +563,10 @@
sox_readdw(ft, &timeStamp);
sox_readw(ft, &markerId);
sox_readw(ft, &commentLength);
+ if (((size_t)totalCommentLength) + commentLength > USHRT_MAX) {+ sox_fail_errno(ft,SOX_EOF,"AIFF: Comment too long in %s header", chunkDescription);
+ return(SOX_EOF);
+ }
totalCommentLength += commentLength;
/* allocate enough memory to hold the text including a terminating \0 */
if(commentIndex == 0) {