Missing check for invalid length in ByteVector::mid (stack + patch)

Viraj Mody virajmody at gmail.com
Fri Dec 3 20:49:58 CET 2010

I ran into a crash using TagLib with an m4a audio file.

Here's the stack:

> >(std::_Vector_const_iterator<char,std::allocator<char> > _First=0x61 'a',
std::_Vector_const_iterator<char,std::allocator<char> > _Last=0x00, const
wchar_t * _File=0x635cbef8, unsigned int _Line=0x000003a5)  Line 1598 + 0x57
bytes C++
>::_Insert<std::_Vector_const_iterator<char,std::allocator<char> >
>(std::_Vector_const_iterator<char,std::allocator<char> > _Where=...,
std::_Vector_const_iterator<char,std::allocator<char> > _First=0x61 'a',
std::_Vector_const_iterator<char,std::allocator<char> > _Last=0x00,
std::forward_iterator_tag __formal={...})  Line 933 + 0x45 bytes C++
>::insert<std::_Vector_const_iterator<char,std::allocator<char> >
>(std::_Vector_const_iterator<char,std::allocator<char> > _Where=...,
std::_Vector_const_iterator<char,std::allocator<char> > _First=0x61 'a',
std::_Vector_const_iterator<char,std::allocator<char> > _Last=0x00)  Line
890 C++
tagd.dll!TagLib::ByteVector::mid(unsigned int index=0x00000010, unsigned int
length=0xfffffff9)  Line 369 + 0xf9 bytes C++
tagd.dll!TagLib::MP4::Tag::parseData(TagLib::MP4::Atom * atom=0x0255f738,
TagLib::File * file=0x03a9e84c, int expectedFlags=0xffffffff, bool
freeForm=false)  Line 122 + 0x1d bytes C++
tagd.dll!TagLib::MP4::Tag::parseGnre(TagLib::MP4::Atom * atom=0x0255f738,
TagLib::File * file=0x03a9e84c)  Line 143 + 0x18 bytes C++
tagd.dll!TagLib::MP4::Tag::Tag(TagLib::File * file=0x03a9e84c,
TagLib::MP4::Atoms * atoms=0x0255a158)  Line 78 + 0x10 bytes C++
tagd.dll!TagLib::MP4::File::read(bool readProperties=true,
TagLib::AudioProperties::ReadStyle audioPropertiesStyle=Fast)  Line 123 +
0x30 bytes C++
tagd.dll!TagLib::MP4::File::File(TagLib::FileName file={...}, bool
readProperties=true, TagLib::AudioProperties::ReadStyle
audioPropertiesStyle=Fast)  Line 73 C++

There's two problems:
- The obvious one is that ByteVector ByteVector::mid(uint index, uint
length) const doesn't validate length, which can result in invalid iterators
being passed into the STL insert function. I have attached a patch to check
for that problem that seems to work fine. Can someone please verify and
check it into the source tree?
- The root cause of this is why the value of length is bad in the first
place. I don't see the calling code validating it anywhere, so I don't know
if that's intentional. It might be that the audio file itself is corrupt but
I'm happy to provide it if anyone wants to look into this more.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.kde.org/pipermail/taglib-devel/attachments/20101203/ceaaeb2a/attachment.htm 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: patch.diff
Type: application/octet-stream
Size: 404 bytes
Desc: not available
Url : http://mail.kde.org/pipermail/taglib-devel/attachments/20101203/ceaaeb2a/attachment.dll 

More information about the taglib-devel mailing list