blob: b7e1e22809fb16444d551599f00b5a1203919b1c (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
|
Lifted from Debian:
https://sources.debian.org/patches/libid3tag/0.15.1b-14/10_utf16.dpatch/
Also fixes:
CVE-2008-2109 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=480187#12
CVE-2017-11551 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=870333#10
Handle bogus UTF16 sequences that have a length that is not
an even number of 8 bit characters.
--- libid3tag-0.15.1b/utf16.c 2006-01-13 15:26:29.000000000 +0100
+++ libid3tag-0.15.1b/utf16.c 2006-01-13 15:27:19.000000000 +0100
@@ -282,5 +282,18 @@
free(utf16);
+ if (end == *ptr && length % 2 != 0)
+ {
+ /* We were called with a bogus length. It should always
+ * be an even number. We can deal with this in a few ways:
+ * - Always give an error.
+ * - Try and parse as much as we can and
+ * - return an error if we're called again when we
+ * already tried to parse everything we can.
+ * - tell that we parsed it, which is what we do here.
+ */
+ (*ptr)++;
+ }
+
return ucs4;
}
|
