From 8c03a81f2fe2ec6be7b52b0ebe59e9abc7e9071f Mon Sep 17 00:00:00 2001 From: "jiyong.min" Date: Wed, 17 Feb 2021 08:36:50 +0900 Subject: [PATCH] fix an integer underflow due to unsigned subtraction - An integer underflow may occur due to unsigned subtraction. Unsigned subtraction was changed to the comparison between 'purelyFramelen' and 'encodingOffSet'. Change-Id: I6973c56ce1d143e297aac9040ff2238e8af93574 --- packaging/libmm-fileinfo.spec | 2 +- utils/mm_file_util_tag.c | 325 +++++++++++++++++++++--------------------- 2 files changed, 162 insertions(+), 165 deletions(-) diff --git a/packaging/libmm-fileinfo.spec b/packaging/libmm-fileinfo.spec index 875d071..8e68cf0 100644 --- a/packaging/libmm-fileinfo.spec +++ b/packaging/libmm-fileinfo.spec @@ -1,6 +1,6 @@ Name: libmm-fileinfo Summary: Media Fileinfo -Version: 1.0.3 +Version: 1.0.4 Release: 0 Group: System/Libraries License: Apache-2.0 diff --git a/utils/mm_file_util_tag.c b/utils/mm_file_util_tag.c index b8c5423..2163087 100644 --- a/utils/mm_file_util_tag.c +++ b/utils/mm_file_util_tag.c @@ -2961,8 +2961,8 @@ bool mm_file_id3tag_parse_v222(AvFileContentInfo *pInfo, unsigned char *buffer, while ((buffer[curPos - purelyFramelen + encodingOffSet] < 0x20) && (encodingOffSet < purelyFramelen)) encodingOffSet++; - if (purelyFramelen - encodingOffSet <= 0) { - debug_warning(DEBUG, "warning: wrong frame length"); + if (purelyFramelen <= encodingOffSet) { + debug_warning(DEBUG, "warning: invalid frame length %lu %u", purelyFramelen, encodingOffSet); continue; } @@ -3126,137 +3126,136 @@ bool mm_file_id3tag_parse_v223(AvFileContentInfo *pInfo, unsigned char *buffer, debug_msg(RELEASE, "this text string(%s) encoded by ISO-8859-1 encodingOffSet(%d)", CompTmp, encodingOffSet); } - mmfile_free(pExtContent); + if (purelyFramelen <= encodingOffSet) { + debug_warning(DEBUG, "warning: invalid frame length %lu %u", purelyFramelen, encodingOffSet); + continue; + } - if (encodingOffSet < purelyFramelen) { - realCpyFrameNum = purelyFramelen - encodingOffSet; - pExtContent = g_malloc0(realCpyFrameNum + 3); + mmfile_free(pExtContent); + realCpyFrameNum = purelyFramelen - encodingOffSet; + pExtContent = g_malloc0(realCpyFrameNum + 3); - if (textEncodingType != AV_ID3V2_UTF16 && textEncodingType != AV_ID3V2_UTF16_BE) { - if (CompTmp[0] == 'T' || (strcmp(CompTmp, "APIC") == 0)) { - debug_msg(RELEASE, "get the new text encoding type"); - textEncodingType = buffer[curPos - purelyFramelen + encodingOffSet - 1]; - } + if (textEncodingType != AV_ID3V2_UTF16 && textEncodingType != AV_ID3V2_UTF16_BE) { + if (CompTmp[0] == 'T' || (strcmp(CompTmp, "APIC") == 0)) { + debug_msg(RELEASE, "get the new text encoding type"); + textEncodingType = buffer[curPos - purelyFramelen + encodingOffSet - 1]; } + } - if (textEncodingType > AV_ID3V2_MAX) { - debug_msg(DEBUG, "WRONG ENCOIDNG TYPE [%d], FRAME[%s]", textEncodingType, (char *)CompTmp); - continue; - } + if (textEncodingType > AV_ID3V2_MAX) { + debug_msg(DEBUG, "WRONG ENCOIDNG TYPE [%d], FRAME[%s]", textEncodingType, (char *)CompTmp); + continue; + } - memcpy(pExtContent, &buffer[curPos - purelyFramelen + encodingOffSet], purelyFramelen - encodingOffSet); - if (realCpyFrameNum > 0) { - switch (tag_id) { - case AV_ID3TAG_COMMENT: - if (realCpyFrameNum > 3) { - realCpyFrameNum -= 3; - tmp = 3; + memcpy(pExtContent, &buffer[curPos - purelyFramelen + encodingOffSet], purelyFramelen - encodingOffSet); + if (realCpyFrameNum > 0) { + switch (tag_id) { + case AV_ID3TAG_COMMENT: + if (realCpyFrameNum > 3) { + realCpyFrameNum -= 3; + tmp = 3; - /*pExtContent[tmp+1] value should't have encoding value */ - if (pExtContent[tmp] == 0x00 || pExtContent[tmp] == 0xFF || pExtContent[tmp] == 0xFE) { - textEncodingType = __id3tag_get_text_encoding_v223(pExtContent, &realCpyFrameNum, textEncodingType, &tmp); + /*pExtContent[tmp+1] value should't have encoding value */ + if (pExtContent[tmp] == 0x00 || pExtContent[tmp] == 0xFF || pExtContent[tmp] == 0xFE) { + textEncodingType = __id3tag_get_text_encoding_v223(pExtContent, &realCpyFrameNum, textEncodingType, &tmp); - debug_msg(RELEASE, "tmp(%d) textEncodingType(%d), realCpyFrameNum(%d)", tmp, textEncodingType, realCpyFrameNum); - pInfo->tagInfo[tag_id].value = mmfile_convert_to_utf8((const char *)&pExtContent[tmp], realCpyFrameNum, charset_array[textEncodingType]); - } else { - debug_msg(RELEASE, "failed to get Comment: tmp(%d), purelyFramelen - encodingOffSet(%lu)", tmp, purelyFramelen - encodingOffSet); - } + debug_msg(RELEASE, "tmp(%d) textEncodingType(%d), realCpyFrameNum(%d)", tmp, textEncodingType, realCpyFrameNum); + pInfo->tagInfo[tag_id].value = mmfile_convert_to_utf8((const char *)&pExtContent[tmp], realCpyFrameNum, charset_array[textEncodingType]); } else { - debug_msg(RELEASE, "Description info too small to parse realCpyFrameNum(%d)", realCpyFrameNum); + debug_msg(RELEASE, "failed to get Comment: tmp(%d), purelyFramelen - encodingOffSet(%lu)", tmp, purelyFramelen - encodingOffSet); } - break; + } else { + debug_msg(RELEASE, "Description info too small to parse realCpyFrameNum(%d)", realCpyFrameNum); + } + break; - case AV_ID3TAG_SYNCLYRICS: - if (realCpyFrameNum > 5) { - realCpyFrameNum -= 5; - tmp = 5; + case AV_ID3TAG_SYNCLYRICS: + if (realCpyFrameNum > 5) { + realCpyFrameNum -= 5; + tmp = 5; - /*pExtContent[tmp+1] value should't have encoding value */ - if (pExtContent[tmp] == 0x00 || pExtContent[tmp] == 0xFF || pExtContent[tmp] == 0xFE) { - textEncodingType = __id3tag_get_text_encoding_v223(pExtContent, &realCpyFrameNum, textEncodingType, &tmp); + /*pExtContent[tmp+1] value should't have encoding value */ + if (pExtContent[tmp] == 0x00 || pExtContent[tmp] == 0xFF || pExtContent[tmp] == 0xFE) { + textEncodingType = __id3tag_get_text_encoding_v223(pExtContent, &realCpyFrameNum, textEncodingType, &tmp); - debug_msg(RELEASE, "tmp(%d) textEncodingType(%d), realCpyFrameNum(%d)", tmp, textEncodingType, realCpyFrameNum); + debug_msg(RELEASE, "tmp(%d) textEncodingType(%d), realCpyFrameNum(%d)", tmp, textEncodingType, realCpyFrameNum); - __id3tag_parse_SYLT(pInfo, pExtContent, realCpyFrameNum, charset_array[textEncodingType], textEncodingType, tmp); - } else { - debug_msg(RELEASE, "failed to get Synchronised lyrics Info tmp(%d), purelyFramelen - encodingOffSet(%lu)", tmp, purelyFramelen - encodingOffSet); - } + __id3tag_parse_SYLT(pInfo, pExtContent, realCpyFrameNum, charset_array[textEncodingType], textEncodingType, tmp); } else { - debug_msg(RELEASE, "Synchronised lyrics too small to parse realCpyFrameNum(%d)", realCpyFrameNum); + debug_msg(RELEASE, "failed to get Synchronised lyrics Info tmp(%d), purelyFramelen - encodingOffSet(%lu)", tmp, purelyFramelen - encodingOffSet); } - break; - - case AV_ID3TAG_UNSYNCLYRICS: - lang_info = strndup((char *)pExtContent, 3); - - if (realCpyFrameNum > 3) { - realCpyFrameNum -= 3; - tmp = 3; - - /*find start of lyrics */ - while (1) { - if (pExtContent[tmp] == 0x00) { - if (pExtContent[tmp + 1] == 0x00) { - realCpyFrameNum -= 2; - tmp += 2; - } - break; - } else { - realCpyFrameNum--; - tmp++; + } else { + debug_msg(RELEASE, "Synchronised lyrics too small to parse realCpyFrameNum(%d)", realCpyFrameNum); + } + break; + + case AV_ID3TAG_UNSYNCLYRICS: + lang_info = strndup((char *)pExtContent, 3); + + if (realCpyFrameNum > 3) { + realCpyFrameNum -= 3; + tmp = 3; + + /*find start of lyrics */ + while (1) { + if (pExtContent[tmp] == 0x00) { + if (pExtContent[tmp + 1] == 0x00) { + realCpyFrameNum -= 2; + tmp += 2; } + break; + } else { + realCpyFrameNum--; + tmp++; } + } - /*pExtContent[tmp+1] value should't have encoding value */ - debug_msg(RELEASE, "tpExtContent[%d] %x", tmp, pExtContent[tmp]); - - if (pExtContent[tmp] == 0x00 || pExtContent[tmp] == 0xFF || pExtContent[tmp] == 0xFE) { - textEncodingType = __id3tag_get_text_encoding_v223(pExtContent, &realCpyFrameNum, textEncodingType, &tmp); + /*pExtContent[tmp+1] value should't have encoding value */ + debug_msg(RELEASE, "tpExtContent[%d] %x", tmp, pExtContent[tmp]); - char *char_set = NULL; + if (pExtContent[tmp] == 0x00 || pExtContent[tmp] == 0xFF || pExtContent[tmp] == 0xFE) { + textEncodingType = __id3tag_get_text_encoding_v223(pExtContent, &realCpyFrameNum, textEncodingType, &tmp); - debug_msg(RELEASE, "tmp(%d) textEncodingType(%d), realCpyFrameNum(%d)", tmp, textEncodingType, realCpyFrameNum); + char *char_set = NULL; - if (textEncodingType == AV_ID3V2_ISO_8859) { - if (lang_info != NULL && !g_ascii_strcasecmp(lang_info, "KOR")) { - char_set = strdup("EUC-KR"); - } else { - char_set = mmfile_get_charset((const char *)&pExtContent[tmp]); - } - mmfile_free(lang_info); - } + debug_msg(RELEASE, "tmp(%d) textEncodingType(%d), realCpyFrameNum(%d)", tmp, textEncodingType, realCpyFrameNum); - if (char_set == NULL) { - pInfo->tagInfo[tag_id].value = mmfile_convert_to_utf8((const char *)&pExtContent[tmp], realCpyFrameNum, charset_array[textEncodingType]); + if (textEncodingType == AV_ID3V2_ISO_8859) { + if (lang_info != NULL && !g_ascii_strcasecmp(lang_info, "KOR")) { + char_set = strdup("EUC-KR"); } else { - pInfo->tagInfo[tag_id].value = mmfile_convert_to_utf8((const char *)&pExtContent[tmp], realCpyFrameNum, char_set); - mmfile_free(char_set); + char_set = mmfile_get_charset((const char *)&pExtContent[tmp]); } + mmfile_free(lang_info); + } + + if (char_set == NULL) { + pInfo->tagInfo[tag_id].value = mmfile_convert_to_utf8((const char *)&pExtContent[tmp], realCpyFrameNum, charset_array[textEncodingType]); } else { - debug_msg(RELEASE, "failed to get Unsynchronised lyrics Info tmp(%d), purelyFramelen - encodingOffSet(%lu)", tmp, purelyFramelen - encodingOffSet); + pInfo->tagInfo[tag_id].value = mmfile_convert_to_utf8((const char *)&pExtContent[tmp], realCpyFrameNum, char_set); + mmfile_free(char_set); } } else { - debug_msg(RELEASE, "Unsynchronised lyrics too small to parse realCpyFrameNum(%d)", realCpyFrameNum); + debug_msg(RELEASE, "failed to get Unsynchronised lyrics Info tmp(%d), purelyFramelen - encodingOffSet(%lu)", tmp, purelyFramelen - encodingOffSet); } - mmfile_free(lang_info); - break; - - case AV_ID3TAG_PICTURE: - if (extract_artwork) - _mm_file_id3tag_parse_APIC(pInfo, (unsigned char *)pExtContent, realCpyFrameNum, charset_array[textEncodingType]); - break; - - default: - pInfo->tagInfo[tag_id].value = mmfile_convert_to_utf8((const char *)pExtContent, realCpyFrameNum, charset_array[textEncodingType]); - break; + } else { + debug_msg(RELEASE, "Unsynchronised lyrics too small to parse realCpyFrameNum(%d)", realCpyFrameNum); } + mmfile_free(lang_info); + break; + + case AV_ID3TAG_PICTURE: + if (extract_artwork) + _mm_file_id3tag_parse_APIC(pInfo, (unsigned char *)pExtContent, realCpyFrameNum, charset_array[textEncodingType]); + break; - if (pInfo->tagInfo[tag_id].value) - debug_msg(RELEASE, "[%d] returned = (%s)", tag_id, pInfo->tagInfo[tag_id].value); + default: + pInfo->tagInfo[tag_id].value = mmfile_convert_to_utf8((const char *)pExtContent, realCpyFrameNum, charset_array[textEncodingType]); + break; } - } else { - debug_msg(RELEASE, "All of the pExtContent Values are NULL"); + if (pInfo->tagInfo[tag_id].value) + debug_msg(RELEASE, "[%d] returned = (%s)", tag_id, pInfo->tagInfo[tag_id].value); } } @@ -3385,88 +3384,86 @@ bool mm_file_id3tag_parse_v224(AvFileContentInfo *pInfo, unsigned char *buffer, } } - mmfile_free(pExtContent); - - if (encodingOffSet < purelyFramelen) { - realCpyFrameNum = purelyFramelen - encodingOffSet; - pExtContent = g_malloc0(realCpyFrameNum + 3); + if (purelyFramelen <= encodingOffSet) { + debug_warning(DEBUG, "warning: invalid frame length %lu %u", purelyFramelen, encodingOffSet); + continue; + } - if (textEncodingType != AV_ID3V2_UTF16 && textEncodingType != AV_ID3V2_UTF16_BE) { - if (CompTmp[0] == 'T' || (strcmp(CompTmp, "APIC") == 0)) { - debug_msg(RELEASE, "get the new text encoding type"); - textEncodingType = buffer[curPos - purelyFramelen + encodingOffSet - 1]; - } - } + mmfile_free(pExtContent); + realCpyFrameNum = purelyFramelen - encodingOffSet; + pExtContent = g_malloc0(realCpyFrameNum + 3); - if (textEncodingType > AV_ID3V2_MAX) { - debug_msg(DEBUG, "WRONG ENCOIDNG TYPE [%d], FRAME[%s]", textEncodingType, (char *)CompTmp); - continue; + if (textEncodingType != AV_ID3V2_UTF16 && textEncodingType != AV_ID3V2_UTF16_BE) { + if (CompTmp[0] == 'T' || (strcmp(CompTmp, "APIC") == 0)) { + debug_msg(RELEASE, "get the new text encoding type"); + textEncodingType = buffer[curPos - purelyFramelen + encodingOffSet - 1]; } + } - memcpy(pExtContent, &buffer[curPos - purelyFramelen + encodingOffSet], purelyFramelen - encodingOffSet); - - if (realCpyFrameNum > 0) { - switch (tag_id) { - case AV_ID3TAG_COMMENT: - if (realCpyFrameNum > 3) { - realCpyFrameNum -= 3; - tmp = 3; + if (textEncodingType > AV_ID3V2_MAX) { + debug_msg(DEBUG, "WRONG ENCOIDNG TYPE [%d], FRAME[%s]", textEncodingType, (char *)CompTmp); + continue; + } - textEncodingType = __id3tag_get_text_encoding_v224(pExtContent, &realCpyFrameNum, textEncodingType, &tmp); - debug_msg(RELEASE, "tmp(%d) textEncodingType(%d), realCpyFrameNum(%d)", tmp, textEncodingType, realCpyFrameNum); + memcpy(pExtContent, &buffer[curPos - purelyFramelen + encodingOffSet], purelyFramelen - encodingOffSet); - pInfo->tagInfo[tag_id].value = mmfile_convert_to_utf8((const char *)&pExtContent[tmp], realCpyFrameNum, charset_array[textEncodingType]); - } else { - debug_msg(RELEASE, "Description info too small to parse realCpyFrameNum(%d)", realCpyFrameNum); - } - break; + if (realCpyFrameNum > 0) { + switch (tag_id) { + case AV_ID3TAG_COMMENT: + if (realCpyFrameNum > 3) { + realCpyFrameNum -= 3; + tmp = 3; - case AV_ID3TAG_SYNCLYRICS: - if (realCpyFrameNum > 5) { - realCpyFrameNum -= 5; - tmp = 5; + textEncodingType = __id3tag_get_text_encoding_v224(pExtContent, &realCpyFrameNum, textEncodingType, &tmp); + debug_msg(RELEASE, "tmp(%d) textEncodingType(%d), realCpyFrameNum(%d)", tmp, textEncodingType, realCpyFrameNum); - textEncodingType = __id3tag_get_text_encoding_v224(pExtContent, &realCpyFrameNum, textEncodingType, &tmp); - debug_msg(RELEASE, "tmp(%d) textEncodingType(%d), realCpyFrameNum(%d)", tmp, textEncodingType, realCpyFrameNum); + pInfo->tagInfo[tag_id].value = mmfile_convert_to_utf8((const char *)&pExtContent[tmp], realCpyFrameNum, charset_array[textEncodingType]); + } else { + debug_msg(RELEASE, "Description info too small to parse realCpyFrameNum(%d)", realCpyFrameNum); + } + break; - __id3tag_parse_SYLT(pInfo, pExtContent, realCpyFrameNum, charset_array[textEncodingType], textEncodingType, tmp); - } else { - debug_msg(RELEASE, "SyncLyrics info too small to parse realCpyFrameNum(%d)", realCpyFrameNum); - } - break; + case AV_ID3TAG_SYNCLYRICS: + if (realCpyFrameNum > 5) { + realCpyFrameNum -= 5; + tmp = 5; - case AV_ID3TAG_UNSYNCLYRICS: - if (realCpyFrameNum > 3) { - realCpyFrameNum -= 3; - tmp = 3; + textEncodingType = __id3tag_get_text_encoding_v224(pExtContent, &realCpyFrameNum, textEncodingType, &tmp); + debug_msg(RELEASE, "tmp(%d) textEncodingType(%d), realCpyFrameNum(%d)", tmp, textEncodingType, realCpyFrameNum); - textEncodingType = __id3tag_get_text_encoding_v224(pExtContent, &realCpyFrameNum, textEncodingType, &tmp); - debug_msg(RELEASE, "tmp(%d) textEncodingType(%d), realCpyFrameNum(%d)", tmp, textEncodingType, realCpyFrameNum); + __id3tag_parse_SYLT(pInfo, pExtContent, realCpyFrameNum, charset_array[textEncodingType], textEncodingType, tmp); + } else { + debug_msg(RELEASE, "SyncLyrics info too small to parse realCpyFrameNum(%d)", realCpyFrameNum); + } + break; - pInfo->tagInfo[tag_id].value = mmfile_convert_to_utf8((const char *)&pExtContent[tmp], realCpyFrameNum, charset_array[textEncodingType]); - } else { - debug_msg(RELEASE, "Description info too small to parse realCpyFrameNum(%d)", realCpyFrameNum); - } - break; + case AV_ID3TAG_UNSYNCLYRICS: + if (realCpyFrameNum > 3) { + realCpyFrameNum -= 3; + tmp = 3; - case AV_ID3TAG_PICTURE: - if (extract_artwork) - _mm_file_id3tag_parse_APIC(pInfo, (unsigned char *)pExtContent, realCpyFrameNum, charset_array[textEncodingType]); - break; + textEncodingType = __id3tag_get_text_encoding_v224(pExtContent, &realCpyFrameNum, textEncodingType, &tmp); + debug_msg(RELEASE, "tmp(%d) textEncodingType(%d), realCpyFrameNum(%d)", tmp, textEncodingType, realCpyFrameNum); - default: - pInfo->tagInfo[tag_id].value = mmfile_convert_to_utf8((const char *)pExtContent, realCpyFrameNum, charset_array[textEncodingType]); - break; + pInfo->tagInfo[tag_id].value = mmfile_convert_to_utf8((const char *)&pExtContent[tmp], realCpyFrameNum, charset_array[textEncodingType]); + } else { + debug_msg(RELEASE, "Description info too small to parse realCpyFrameNum(%d)", realCpyFrameNum); } + break; - if (pInfo->tagInfo[tag_id].value) - debug_msg(RELEASE, "[%d] returned = (%s)", tag_id, pInfo->tagInfo[tag_id].value); + case AV_ID3TAG_PICTURE: + if (extract_artwork) + _mm_file_id3tag_parse_APIC(pInfo, (unsigned char *)pExtContent, realCpyFrameNum, charset_array[textEncodingType]); + break; + + default: + pInfo->tagInfo[tag_id].value = mmfile_convert_to_utf8((const char *)pExtContent, realCpyFrameNum, charset_array[textEncodingType]); + break; } - } else { - debug_msg(RELEASE, "mmf_file_id3tag_parse_v224: All of the pExtContent Values are NULL"); + if (pInfo->tagInfo[tag_id].value) + debug_msg(RELEASE, "[%d] returned = (%s)", tag_id, pInfo->tagInfo[tag_id].value); } - } mmfile_free(pExtContent); -- 2.7.4