From ef8a32f6b9f143092165cafdaf90acfbff68112a Mon Sep 17 00:00:00 2001
From: Peter Wilson <wilson@peterwilson.cc>
Date: Fri, 29 Apr 2022 04:50:12 +0000
Subject: [PATCH] Media: Validate track number ID3 tags before use.

Validate current and total track ID3 tags as numeric before use.

Props mjkhajeh, SergeyBiryukov, costdev.
Fixes #55204.


Built from https://develop.svn.wordpress.org/trunk@53307


git-svn-id: http://core.svn.wordpress.org/trunk@52896 1a063a9b-81f0-0310-95a4-ce76da25c4cd
---
 wp-admin/includes/media.php | 21 +++++++++++++++------
 wp-includes/version.php     |  2 +-
 2 files changed, 16 insertions(+), 7 deletions(-)

diff --git a/wp-admin/includes/media.php b/wp-admin/includes/media.php
index 31c76bda65..95a29d5e52 100644
--- a/wp-admin/includes/media.php
+++ b/wp-admin/includes/media.php
@@ -361,12 +361,21 @@ function media_handle_upload( $file_id, $post_id, $post_data = array(), $overrid
 		if ( ! empty( $meta['track_number'] ) ) {
 			$track_number = explode( '/', $meta['track_number'] );
 
-			if ( isset( $track_number[1] ) ) {
-				/* translators: Audio file track information. 1: Audio track number, 2: Total audio tracks. */
-				$content .= ' ' . sprintf( __( 'Track %1$s of %2$s.' ), number_format_i18n( $track_number[0] ), number_format_i18n( $track_number[1] ) );
-			} else {
-				/* translators: Audio file track information. %s: Audio track number. */
-				$content .= ' ' . sprintf( __( 'Track %s.' ), number_format_i18n( $track_number[0] ) );
+			if ( is_numeric( $track_number[0] ) ) {
+				if ( isset( $track_number[1] ) && is_numeric( $track_number[1] ) ) {
+					$content .= ' ' . sprintf(
+						/* translators: Audio file track information. 1: Audio track number, 2: Total audio tracks. */
+						__( 'Track %1$s of %2$s.' ),
+						number_format_i18n( $track_number[0] ),
+						number_format_i18n( $track_number[1] )
+					);
+				} else {
+					$content .= ' ' . sprintf(
+						/* translators: Audio file track information. %s: Audio track number. */
+						__( 'Track %s.' ),
+						number_format_i18n( $track_number[0] )
+					);
+				}
 			}
 		}
 
diff --git a/wp-includes/version.php b/wp-includes/version.php
index 24db4d7e7b..fbe3f8b627 100644
--- a/wp-includes/version.php
+++ b/wp-includes/version.php
@@ -16,7 +16,7 @@
  *
  * @global string $wp_version
  */
-$wp_version = '6.0-beta3-53306';
+$wp_version = '6.0-beta3-53307';
 
 /**
  * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.