[FFmpeg-devel] [PATCH 2/2] Add ID support for .oma/.aa3

[Reimar Döffinger]

On Fri, Jun 11, 2010 at 12:44:45AM +0200, Michael Karcher wrote:
> +    const uint8_t *buf;
> +
> +    buf = p->buf;
> +    if (p->end >= p->buf + ID3v2_HEADER_SIZE
> +        && ff_id3v2_match(buf, ID3v2_EA3_MAGIC))
> +        buf += ff_id3v2_tag_len(buf);

This may overflow

> +    if (p->end > buf + 5) && !memcmp(buf, "EA3", 3) 

As well as the + 5, making the check not really water-tight.
Maybe something like
int tag_len = 0;
if (...)
    tag_len = ff_id3v2_tag_len();
// cannot overflow since tag_len is at most 28 bits
if (p->size < tag_len + 5)
    return 0;
buf += tag_len;
....

The same applies to the ID3v2_HEADER_SIZE check in principle,
though I think the API requires a minimum allocated size for
the buffer that would make an overflow impossible since
ID3v2_HEADER_SIZE is so small.