Fix an infinite loop when parsing an INFO tag.

author Tsuda Kageyu <tsuda.kageyu@gmail.com>

Tue, 23 Dec 2014 06:44:17 +0000 (15:44 +0900)

committer Tsuda Kageyu <tsuda.kageyu@gmail.com>

Tue, 30 Dec 2014 16:44:25 +0000 (01:44 +0900)
author Tsuda Kageyu <tsuda.kageyu@gmail.com>
Tue, 23 Dec 2014 06:44:17 +0000 (15:44 +0900)
committer Tsuda Kageyu <tsuda.kageyu@gmail.com>
Tue, 30 Dec 2014 16:44:25 +0000 (01:44 +0900)
diff --git a/taglib/riff/wav/infotag.cpp b/taglib/riff/wav/infotag.cpp

index 7cd2a192a7cf7fb5e799c6fc752cd633a514cf4a..050ff37ca797958b7b8e9344c36aaa0db492bb9d 100644 (file)
--- a/taglib/riff/wav/infotag.cpp
+++ b/taglib/riff/wav/infotag.cpp
@@ -258,9 +258,15 @@ void RIFF::Info::Tag::parse(const ByteVector &data)
    uint p = 4;
    while(p < data.size()) {
      const uint size = data.toUInt(p + 4, false);
-    d->fieldListMap[data.mid(p, 4)] = TagPrivate::stringHandler->parse(data.mid(p + 8, size));
+    if(size > data.size() - p - 8)
+      break;
+
+    const ByteVector id = data.mid(p, 4);
+    if(isValidChunkID(id)) {
+      const String text = TagPrivate::stringHandler->parse(data.mid(p + 8, size));
+      d->fieldListMap[id] = text;
+    }
  
      p += ((size + 1) & ~1) + 8;
    }
  }
-
author	Tsuda Kageyu <tsuda.kageyu@gmail.com>
	Tue, 23 Dec 2014 06:44:17 +0000 (15:44 +0900)
committer	Tsuda Kageyu <tsuda.kageyu@gmail.com>
	Tue, 30 Dec 2014 16:44:25 +0000 (01:44 +0900)