Buffer overflow, ressource leak & UB
During implementation and testing of a new file type (WMA) I found a few issues:
-
Buffer overflow when reading MAC/MPC tag.
APE tag has a read only handling for ID3V1 tags. If an MAC or MPC file happens to have an ID3V1 tag and one of its fields is empty the method
libapetag_maloc_cont_text
modifies memory before the passed value becausen
becomes negative. This typically causes further out of bound access inlibapetag_maloc_cont
when the negative value is passed as unsigned to the length ofmemcpy
. The method should return 0 as soon as n becomes 0. -
Resource leak when reading MAC/MPC tag.
The
GFileInputStream
objects returned fromg_file_read
ininfo_mac_read
andinfo_mpc_read
are never released. If a large number of MAC/MPC files are analyzed the application crashes because of exhausted file handles.g_object_unref
should be called. -
Undefined behavior (out of memory) in gio_wrapper.
When
GIO_InputStream::readBlock
is called withlen
0 - TagLib happens to do so sometimes - thenrv.data()
returnsnullptr
causingg_input_stream_read_all
to fail and not assignbytes
. This causes UB when passed torv.resize
. The return value ofg_input_stream_read_all
should be checked and an emptyByteVector
should be returned in case of an error. The implementation inGIO_IOStream::readBlock
is similar but initializes bytes to 0, which might be sufficient.
I fixed the issues in my fork of EasyTag but the fix won't match this branch because I switched to C++ and RAII.