emms.git - EMMS, The Emacs Multimedia System.

EMMS, The Emacs Multimedia System.

diff options

author	Petteri Hintsanen <petterih@iki.fi>	2023年10月30日 21:47:45 +0200
committer	Petteri Hintsanen <petterih@iki.fi>	2023年10月30日 21:47:45 +0200
commit	52dac8ccc47e6040d33045e8df989a09270d3bdb (patch)
tree	f5407cc07c322520ea2fbb8c3d83be3e4926dd6f
parent	c96afb7687ad7f9fab7161a20e24d9d4feca5fe5 (diff)
download	emms-info-native.tar.gz

Remove most length limits from Vorbis bindat specsinfo-native

Many of the field length limits were arbitrarily chosen and even too strict in practice. It is better to check against the length of input data, which forms trivially an upper bound for the length of any field. Do still keep maximum metadata peek sizes to limit reading of excessive amounts of data, but increase the limit to 16 MB.

Diffstat

-rw-r--r--

emms-info-native-flac.el

-rw-r--r--

emms-info-native-ogg.el

-rw-r--r--

emms-info-native-opus.el

-rw-r--r--

emms-info-native-vorbis.el

4 files changed, 26 insertions, 48 deletions

diff --git a/emms-info-native-flac.el b/emms-info-native-flac.el
index 132ee33..2315bb7 100644
--- a/emms-info-native-flac.el
+++ b/emms-info-native-flac.el

@@ -34,7 +34,9 @@

(require 'emms-info-native-vorbis)

(require 'bindat)

-(defconst emms-info-native-flac--max-peek-size (* 2048 1024)

+(defvar bindat-raw)

+(defconst emms-info-native-flac--max-peek-size (* 16 1024 1024)

"Maximum buffer size for metadata decoding.

Functions in `emms-info-native-flac' read certain amounts of data

into a temporary buffer while decoding metadata. This variable

@@ -82,22 +84,22 @@ exhaustion in case of garbled or malicious inputs.")

(if (eval-when-compile (fboundp 'bindat-type))

(bindat-type

(vendor-length uintr 32)

- (_ unit (when (> vendor-length emms-info-native-vorbis--max-vendor-length)

+ (_ unit (when (> vendor-length (length bindat-raw))

(error "FLAC vendor length %s is too long"

vendor-length)))

(vendor-string str vendor-length)

(user-comments-list-length uintr 32)

- (_ unit (when (> user-comments-list-length emms-info-native-vorbis--max-comments)

+ (_ unit (when (> user-comments-list-length (length bindat-raw))

(error "FLAC user comment list length %s is too long"

user-comments-list-length)))

(user-comments repeat user-comments-list-length

type emms-info-native-vorbis--comment-field-bindat-spec))

'((vendor-length u32r)

- (eval (when (> last emms-info-native-vorbis--max-vendor-length)

+ (eval (when (> last (length bindat-raw))

(error "FLAC vendor length %s is too long" last)))

(vendor-string str (vendor-length))

(user-comments-list-length u32r)

- (eval (when (> last emms-info-native-vorbis--max-comments)

+ (eval (when (> last (length bindat-raw))

(error "FLAC user comment list length %s is too long"

last)))

(user-comments repeat

diff --git a/emms-info-native-ogg.el b/emms-info-native-ogg.el
index 457dc69..89c309e 100644
--- a/emms-info-native-ogg.el
+++ b/emms-info-native-ogg.el

@@ -47,13 +47,13 @@

(defconst emms-info-native-ogg--page-size 65307

"Maximum size for a single Ogg container page.")

-(defconst emms-info-native-ogg--max-peek-size (* 2048 1024)

+(defconst emms-info-native-ogg--max-peek-size (* 16 1024 1024)

"Maximum buffer size for metadata decoding.

-Functions in `emms-info-native-ogg' read certain amounts of data into a

-temporary buffer while decoding metadata. This variable controls

-the maximum size of that buffer: if more than

-`emms-info-native-ogg--max-peek-size' bytes are needed, an error is

-signaled.

+Functions in `emms-info-native-ogg' read certain amounts of data

+into a temporary buffer while decoding metadata. This variable

+controls the maximum size of that buffer: if more than

+`emms-info-native-ogg--max-peek-size' bytes are needed, an error

+is signaled.

Technically metadata blocks can have almost arbitrary lengths,

but in practice processing must be constrained to prevent memory

diff --git a/emms-info-native-opus.el b/emms-info-native-opus.el
index efec5e9..15f0aa4 100644
--- a/emms-info-native-opus.el
+++ b/emms-info-native-opus.el

@@ -31,6 +31,8 @@

(require 'emms-info-native-vorbis)

(require 'bindat)

+(defvar bindat-raw)

(defvar emms-info-native-opus--channel-count 0

"Last decoded Opus channel count.")

@@ -101,13 +103,12 @@

emms-info-native-opus--tags-magic-pattern

opus-tags)))

(vendor-length uintr 32)

- (_ unit (when (> vendor-length emms-info-native-vorbis--max-vendor-length)

+ (_ unit (when (> vendor-length (length bindat-raw))

(error "Opus vendor length %s is too long"

vendor-length)))

(vendor-string str vendor-length)

(user-comments-list-length uintr 32)

- (_ unit (when (> user-comments-list-length

- emms-info-native-vorbis--max-comments)

+ (_ unit (when (> user-comments-list-length (length bindat-raw))

(error "Opus user comment list length %s is too long"

user-comments-list-length)))

(user-comments repeat user-comments-list-length

@@ -118,11 +119,11 @@

emms-info-native-opus--tags-magic-pattern

last)))

(vendor-length u32r)

- (eval (when (> last emms-info-native-vorbis--max-vendor-length)

+ (eval (when (> last (length bindat-raw))

(error "Opus vendor length %s is too long" last)))

(vendor-string str (vendor-length))

(user-comments-list-length u32r)

- (eval (when (> last emms-info-native-vorbis--max-comments)

+ (eval (when (> last (length bindat-raw))

(error "Opus user comment list length %s is too long"

last)))

(user-comments repeat

diff --git a/emms-info-native-vorbis.el b/emms-info-native-vorbis.el
index 77a49a7..7a8ccc6 100644
--- a/emms-info-native-vorbis.el
+++ b/emms-info-native-vorbis.el

@@ -29,32 +29,7 @@

(require 'bindat)

-(defconst emms-info-native-vorbis--max-comments 1024

- "Maximum number of Vorbis comment fields in a stream.

-Technically a single Vorbis stream may have up to 2^32 comments,

-but in practice processing must be constrained to prevent memory

-exhaustion in case of garbled or malicious inputs.

-This limit is used with Opus and FLAC streams as well, since

-their comments have almost the same format as Vorbis.")

-(defconst emms-info-native-vorbis--max-comment-size (* 64 1024)

- "Maximum length for a single Vorbis comment field.

-Technically a single Vorbis comment may have a length up to 2^32

-bytes, but in practice processing must be constrained to prevent

-memory exhaustion in case of garbled or malicious inputs.

-This limit is used with Opus and FLAC streams as well, since

-their comments have almost the same format as Vorbis.")

-(defconst emms-info-native-vorbis--max-vendor-length 1024

- "Maximum length of Vorbis vendor string.

-Technically a vendor string can be up to 2^32 bytes long, but in

-practice processing must be constrained to prevent memory

-exhaustion in case of garbled or malicious inputs.

-This limit is used with Opus and FLAC streams as well, since

-their comments have almost the same format as Vorbis.")

+(defvar bindat-raw)

(defconst emms-info-native-vorbis--accepted-fields

'("album"

@@ -136,12 +111,12 @@ their comments have almost the same format as Vorbis.")

(if (eval-when-compile (fboundp 'bindat-type))

(bindat-type

(length uintr 32)

- (_ unit (when (> length emms-info-native-vorbis--max-comment-size)

+ (_ unit (when (> length (length bindat-raw))

(error "Vorbis comment length %s is too long"

length)))

(user-comment str length))

'((length u32r)

- (eval (when (> last emms-info-native-vorbis--max-comment-size)

+ (eval (when (> last (length bindat-raw))

(error "Vorbis comment length %s is too long" last)))

(user-comment str (length))))

"Vorbis comment field specification.")

@@ -159,12 +134,12 @@ their comments have almost the same format as Vorbis.")

emms-info-native-vorbis--header-magic-pattern

vorbis)))

(vendor-length uintr 32)

- (_ unit (when (> vendor-length emms-info-native-vorbis--max-vendor-length)

+ (_ unit (when (> vendor-length (length bindat-raw))

(error "Vorbis vendor length %s is too long"

vendor-length)))

(vendor-string str vendor-length)

(user-comments-list-length uintr 32)

- (_ unit (when (> user-comments-list-length emms-info-native-vorbis--max-comments)