From 7dff801f34a76dd7950fc1751ce5ee2978e9b32d Mon Sep 17 00:00:00 2001
From: Lars-Dominik Braun <PromyLOPh@lavabit.com>
Date: Sat, 28 Nov 2009 12:23:45 +0100
Subject: piano: Don't decrypt too short urls

Avoids invalid memory reads/writes
---
 libpiano/src/xml.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

(limited to 'libpiano')

diff --git a/libpiano/src/xml.c b/libpiano/src/xml.c
index 8e8fb2a..185002d 100644
--- a/libpiano/src/xml.c
+++ b/libpiano/src/xml.c
@@ -240,7 +240,10 @@ static void PianoXmlParsePlaylistCb (const char *key, const ezxml_t value,
 		char *urlTail = NULL,
 				*urlTailCrypted = &valueStr[valueStrN - urlTailN];
 
-		if ((urlTail = PianoDecryptString (urlTailCrypted)) != NULL) {
+		/* don't try to decrypt if string is too short (=> invalid memory
+		 * reads/writes) */
+		if (valueStrN > urlTailN &&
+				(urlTail = PianoDecryptString (urlTailCrypted)) != NULL) {
 			if ((song->audioUrl = calloc (valueStrN + 1,
 					sizeof (*song->audioUrl))) != NULL) {
 				memcpy (song->audioUrl, valueStr, valueStrN - urlTailN);
-- 
cgit v1.2.3