- len = avio_rb32(pb);
- if (len <= 0) {
- av_log(s, AV_LOG_ERROR, "Invalid attached picture size: %d.\n", len);
- if (s->error_recognition & AV_EF_EXPLODE)
- ret = AVERROR_INVALIDDATA;
- goto fail;
+ len = bytestream2_get_be32u(&g);
+
+ left = bytestream2_get_bytes_left(&g);
+ if (len <= 0 || len > left) {
+ if (len > MAX_TRUNC_PICTURE_SIZE || len >= INT_MAX - AV_INPUT_BUFFER_PADDING_SIZE) {
+ av_log(s, AV_LOG_ERROR, "Attached picture metadata block too big %u\n", len);
+ if (s->error_recognition & AV_EF_EXPLODE)
+ ret = AVERROR_INVALIDDATA;
+ goto fail;
+ }
+
+ // Workaround bug for flac muxers that writs truncated metadata picture block size if
+ // the picture size do not fit in 24 bits. lavf flacenc used to have the issue and based
+ // on existing broken files other unknown flac muxers seems to truncate also.
+ if (truncate_workaround &&
+ s->strict_std_compliance <= FF_COMPLIANCE_NORMAL &&
+ len > left && (len & 0xffffff) == left) {
+ av_log(s, AV_LOG_INFO, "Correcting truncated metadata picture size from %u to %u\n", left, len);
+ trunclen = len - left;
+ } else {
+ av_log(s, AV_LOG_ERROR, "Attached picture metadata block too short\n");
+ if (s->error_recognition & AV_EF_EXPLODE)
+ ret = AVERROR_INVALIDDATA;
+ goto fail;
+ }