[flac-dev] [PATCH] Fix buffer overflow in metaflac

Wed Apr 4 17:44:34 PDT 2012

strlen() returns the length excluding the terminating null byte..then
an string of len 4 will be off-by-one in application_id[4];

GCC 4.7 detects this bug.
---
 src/metaflac/options.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/metaflac/options.c b/src/metaflac/options.c
index eb3498d..2cb0959 100644
--- a/src/metaflac/options.c
+++ b/src/metaflac/options.c
@@ -1040,7 +1040,7 @@ FLAC__bool parse_block_type(const char *in, Argument_BlockType *out)
 			out->entries[entry].type = FLAC__METADATA_TYPE_APPLICATION;
 			out->entries[entry].filter_application_by_id = (0 != r);
 			if(0 != r) {
-				if(strlen(r) == 4) {
+				if(strlen(r) == 3) {
 					strcpy(out->entries[entry].application_id, r);
 				}
 				else if(strlen(r) == 10 && strncmp(r, "0x", 2) == 0 && strspn(r+2, "0123456789ABCDEFabcdef") == 8) {
-- 
1.7.9.2

