[FFmpeg-cvslog] id3v2: prevent unsigned integer overflow in ff_id3v2_parse()

Wed May 18 11:19:22 CEST 2011

ffmpeg | branch: master | Stefano Sabatini <stefano.sabatini-lala at poste.it> | Wed May 18 00:43:25 2011 +0200| [64be0d1edad630f5bc0f287022f5880de07915b2] | committer: Stefano Sabatini

id3v2: prevent unsigned integer overflow in ff_id3v2_parse()

In ff_id3v2_parse(), prevent unsigned integer overflow if data length
indicator is skipped and tlen is < 4.

Fix crash decoding file Allaby_cut.mp3, fix trac issue #182.

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=64be0d1edad630f5bc0f287022f5880de07915b2
---

 libavformat/id3v2.c |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

diff --git a/libavformat/id3v2.c b/libavformat/id3v2.c
index e1958bd..3640b11 100644
--- a/libavformat/id3v2.c
+++ b/libavformat/id3v2.c
@@ -255,6 +255,8 @@ static void ff_id3v2_parse(AVFormatContext *s, int len, uint8_t version, uint8_t
         next = avio_tell(s->pb) + tlen;
 
         if (tflags & ID3v2_FLAG_DATALEN) {
+            if (tlen < 4)
+                break;
             avio_rb32(s->pb);
             tlen -= 4;
         }

