1From 2c4ae870ec086f2ddd21a47861a3709c36faac45 Mon Sep 17 00:00:00 2001 2From: Scott Gayou <github.scott@gmail.com> 3Date: Tue, 9 Oct 2018 18:46:55 -0500 4Subject: [PATCH] Fixed OOB read when loading invalid ogg flac file. (#868) 5 (#869) 6 7CVE-2018-11439 is caused by a failure to check the minimum length 8of a ogg flac header. This header is detailed in full at: 9https://xiph.org/flac/ogg_mapping.html. Added more strict checking 10for entire header. 11[Retrieved from: 12https://github.com/taglib/taglib/commit/2c4ae870ec086f2ddd21a47861a3709c36faac45] 13Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> 14--- 15 taglib/ogg/flac/oggflacfile.cpp | 14 ++++++++++++-- 16 1 file changed, 12 insertions(+), 2 deletions(-) 17 18diff --git a/taglib/ogg/flac/oggflacfile.cpp b/taglib/ogg/flac/oggflacfile.cpp 19index 53d04508a..07ea9dccc 100644 20--- a/taglib/ogg/flac/oggflacfile.cpp 21+++ b/taglib/ogg/flac/oggflacfile.cpp 22@@ -231,11 +231,21 @@ void Ogg::FLAC::File::scan() 23 24 if(!metadataHeader.startsWith("fLaC")) { 25 // FLAC 1.1.2+ 26+ // See https://xiph.org/flac/ogg_mapping.html for the header specification. 27+ if(metadataHeader.size() < 13) 28+ return; 29+ 30+ if(metadataHeader[0] != 0x7f) 31+ return; 32+ 33 if(metadataHeader.mid(1, 4) != "FLAC") 34 return; 35 36- if(metadataHeader[5] != 1) 37- return; // not version 1 38+ if(metadataHeader[5] != 1 && metadataHeader[6] != 0) 39+ return; // not version 1.0 40+ 41+ if(metadataHeader.mid(9, 4) != "fLaC") 42+ return; 43 44 metadataHeader = metadataHeader.mid(13); 45 } 46