[FFmpeg-devel] [PATCH] id3v2: prevent unsigned integer overflow in ff_id3v2_parse()
Stefano Sabatini
stefano.sabatini-lala at poste.it
Wed May 18 11:16:09 CEST 2011
On date Wednesday 2011-05-18 04:48:59 +0200, Michael Niedermayer encoded:
> On Wed, May 18, 2011 at 12:48:03AM +0200, Stefano Sabatini wrote:
> > In ff_id3v2_parse(), prevent unsigned integer overflow if data length
> > indicator is skipped and tlen is < 4.
> >
> > Fix crash decoding file Allaby_cut.mp3, fix trac issue #182.
> > ---
> > libavformat/id3v2.c | 2 ++
> > 1 files changed, 2 insertions(+), 0 deletions(-)
> >
> > diff --git a/libavformat/id3v2.c b/libavformat/id3v2.c
> > index e1958bd..3eec095 100644
> > --- a/libavformat/id3v2.c
> > +++ b/libavformat/id3v2.c
> > @@ -256,6 +256,8 @@ static void ff_id3v2_parse(AVFormatContext *s, int len, uint8_t version, uint8_t
> >
> > if (tflags & ID3v2_FLAG_DATALEN) {
> > avio_rb32(s->pb);
> > + if (tlen < 4)
> > + break;
> > tlen -= 4;
> > }
>
> ok, maybe put the check before the avio_rb32() but thats just a nitpick
> feels odd to read first and then check though it should makes no
> difference
Right, pushed with that change.
--
FFmpeg = Funny and Friendly Mastering Pitiful Exuberant Gigant
More information about the ffmpeg-devel
mailing list