[FFmpeg-cvslog] Do not loop endlessly if id3v2 tag size is negative / too large.
Carl Eugen Hoyos
git
Mon Mar 7 23:32:52 CET 2011
ffmpeg | branch: master | Carl Eugen Hoyos <cehoyos at ag.or.at> | Mon Mar 7 23:18:36 2011 +0100| [ac533ac458b8c75ac68372b34d0ce7c150684585] | committer: Carl Eugen Hoyos
Do not loop endlessly if id3v2 tag size is negative / too large.
Fixes the sample from issue 2649.
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=ac533ac458b8c75ac68372b34d0ce7c150684585
---
libavformat/id3v2.c | 5 ++++-
1 files changed, 4 insertions(+), 1 deletions(-)
diff --git a/libavformat/id3v2.c b/libavformat/id3v2.c
index 7635735..37443a4 100644
--- a/libavformat/id3v2.c
+++ b/libavformat/id3v2.c
@@ -138,7 +138,8 @@ static void read_ttag(AVFormatContext *s, AVIOContext *pb, int taglen, const cha
static void ff_id3v2_parse(AVFormatContext *s, int len, uint8_t version, uint8_t flags)
{
- int isv34, tlen, unsync;
+ int isv34, unsync;
+ unsigned tlen;
char tag[5];
int64_t next;
int taghdrlen;
@@ -191,6 +192,8 @@ static void ff_id3v2_parse(AVFormatContext *s, int len, uint8_t version, uint8_t
tag[3] = 0;
tlen = avio_rb24(s->pb);
}
+ if (tlen > (1<<28))
+ break;
len -= taghdrlen + tlen;
if (len < 0)
More information about the ffmpeg-cvslog
mailing list