From 64e900704c89341ba55e7718d8a3ade37e46339e Mon Sep 17 00:00:00 2001
From: Justin Maggard <jmaggard@users.sourceforce.net>
Date: Thu, 8 Mar 2012 18:11:00 +0000
Subject: * Fix a crash bug on some oddly-formed WAV files.

---
 tagutils/tagutils-wav.c | 6 +++---
 upnphttp.c              | 1 +
 2 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/tagutils/tagutils-wav.c b/tagutils/tagutils-wav.c
index b5ac8c2..7f9b293 100644
--- a/tagutils/tagutils-wav.c
+++ b/tagutils/tagutils-wav.c
@@ -79,7 +79,7 @@ _get_wavtags(char *filename, struct song_metadata *psong)
 
 	/* now, walk through the chunks */
 	current_offset = 12;
-	while(current_offset < psong->file_size)
+	while(current_offset + 8 < psong->file_size)
 	{
 		len = 8;
 		if(!(len = read(fd, hdr, len)) || (len != 8))
@@ -92,7 +92,7 @@ _get_wavtags(char *filename, struct song_metadata *psong)
 		current_offset += 8;
 		block_len = GET_WAV_INT32(hdr + 4);
 
-		//DEBUG DPRINTF(E_DEBUG,L_SCANNER,"Read block %02x%02x%02x%02x (%c%c%c%c) of "
+		//DEBUG DPRINTF(E_DEBUG, L_SCANNER, "Read block %02x%02x%02x%02x (%c%c%c%c) of "
 		//        "size 0x%08x\n",hdr[0],hdr[1],hdr[2],hdr[3],
 		//        isprint(hdr[0]) ? hdr[0] : '?',
 		//        isprint(hdr[1]) ? hdr[1] : '?',
@@ -145,7 +145,7 @@ _get_wavtags(char *filename, struct song_metadata *psong)
 			char **m;
 
 			len = GET_WAV_INT32(hdr + 4);
-			if(len > 65536)
+			if(len > 65536 || len < 9)
 				goto next_block;
 
 			tags = malloc(len+1);
diff --git a/upnphttp.c b/upnphttp.c
index 7a46de5..0d30f25 100644
--- a/upnphttp.c
+++ b/upnphttp.c
@@ -2006,4 +2006,5 @@ error:
 	if( !newpid )
 		_exit(0);
 #endif
+	return;
 }
-- 
cgit v1.2.3