shithub: libtags

--- a/flac.c

+++ b/flac.c

@@ -32,7 +32,8 @@

 		if(ctx->read(ctx, d, 4) != 4)

 			return -1;

-		sz = beu3(&d[1]);

+		if((sz = beu3(&d[1])) < 0)

+			return -1;

 		if((d[0] & 0x80) != 0)

 			last = 1;

@@ -40,12 +41,12 @@

 			int n, offset;

 			char *mime;

-			if(sz < 16 || ctx->read(ctx, d, 8) != 8) /* type, mime length */

+			if(sz < 8+4+20 || ctx->read(ctx, d, 8) != 8) /* type, mime length */

 				return -1;

 			sz -= 8;

 			n = beuint(&d[4]);

 			mime = ctx->buf+20;

-			if(n >= sz || n >= ctx->bufsz-20 || ctx->read(ctx, mime, n) != n)

+			if(n < 0 || n >= sz-4-20 || n >= ctx->bufsz-20 || ctx->read(ctx, mime, n) != n)

 				return -1;

 			sz -= n;

 			mime[n] = 0;

@@ -54,8 +55,10 @@

 			offset = beuint(d) + ctx->seek(ctx, 0, 1) + 20;

 			ctx->read(ctx, d, 20);

 			sz -= 20;

-			n = beuint(&d[16]);

-			tagscallcb(ctx, Timage, "", mime, offset, n, nil);

+			if((n = beuint(&d[16])) < 0)

+				return -1;

+			if(n > 0)

+				tagscallcb(ctx, Timage, "", mime, offset, n, nil);

 			if(ctx->seek(ctx, sz, 1) <= 0)

 				return -1;

 		}else if((d[0] & 0x7f) == 4){ /* 4 = vorbis comment */