[FFmpeg-cvslog] id3v2: skip broken tags with invalid size

Wed Mar 23 03:03:42 CET 2011

ffmpeg | branch: master | Anton Khirnov <anton at khirnov.net> | Tue Mar 22 10:35:35 2011 +0100| [c5f4c0fd5c791ba97eb266cc30ae2172c10feb20] | committer: Justin Ruggles

id3v2: skip broken tags with invalid size

fixes issue2649.

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=c5f4c0fd5c791ba97eb266cc30ae2172c10feb20
---

 libavformat/id3v2.c |    8 ++++----
 1 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/libavformat/id3v2.c b/libavformat/id3v2.c
index 96f3e1c..4fecffe 100644
--- a/libavformat/id3v2.c
+++ b/libavformat/id3v2.c
@@ -237,11 +237,11 @@ static void ff_id3v2_parse(AVFormatContext *s, int len, uint8_t version, uint8_t
             tag[3] = 0;
             tlen = avio_rb24(s->pb);
         }
-        len -= taghdrlen + tlen;
-
-        if (len < 0)
+        if (tlen < 0 || tlen > len - taghdrlen) {
+            av_log(s, AV_LOG_WARNING, "Invalid size in frame %s, skipping the rest of tag.\n", tag);
             break;
-
+        }
+        len -= taghdrlen + tlen;
         next = avio_tell(s->pb) + tlen;
 
         if (tflags & ID3v2_FLAG_DATALEN) {


