id3v2: skip broken tags with invalid size

author Anton Khirnov <anton@khirnov.net>

Tue, 22 Mar 2011 09:35:35 +0000 (10:35 +0100)

committer Justin Ruggles <justin.ruggles@gmail.com>

Tue, 22 Mar 2011 13:08:59 +0000 (09:08 -0400)
author Anton Khirnov <anton@khirnov.net>
Tue, 22 Mar 2011 09:35:35 +0000 (10:35 +0100)
committer Justin Ruggles <justin.ruggles@gmail.com>
Tue, 22 Mar 2011 13:08:59 +0000 (09:08 -0400)
diff --git a/libavformat/id3v2.c b/libavformat/id3v2.c

index 96f3e1c61a532d258913a47e171032e764b7d603..4fecffe6ba35a0a81c1095f997b20974272f6cfd 100644 (file)
--- a/libavformat/id3v2.c
+++ b/libavformat/id3v2.c
@@ -237,11 +237,11 @@ static void ff_id3v2_parse(AVFormatContext *s, int len, uint8_t version, uint8_t
              tag[3] = 0;
              tlen = avio_rb24(s->pb);
          }
-        len -= taghdrlen + tlen;
-
-        if (len < 0)
+        if (tlen < 0 || tlen > len - taghdrlen) {
+            av_log(s, AV_LOG_WARNING, "Invalid size in frame %s, skipping the rest of tag.\n", tag);
              break;
-
+        }
+        len -= taghdrlen + tlen;
          next = avio_tell(s->pb) + tlen;
  
          if (tflags & ID3v2_FLAG_DATALEN) {
author	Anton Khirnov <anton@khirnov.net>
	Tue, 22 Mar 2011 09:35:35 +0000 (10:35 +0100)
committer	Justin Ruggles <justin.ruggles@gmail.com>
	Tue, 22 Mar 2011 13:08:59 +0000 (09:08 -0400)