[FFmpeg-devel] [PATCH 2/2] avformat/id3v2: Check that decode_str() did advance
Michael Niedermayer
michael at niedermayer.cc
Sat Apr 12 01:27:19 EEST 2025
Fixes infinite loop with unknown encodings
We could alternatively error out from decode_str() or consume all of taglen
this would affect other callers though.
Fixes: 409819224/clusterfuzz-testcase-minimized-ffmpeg_dem_H261_fuzzer-6003527535362048
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
---
libavformat/id3v2.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/libavformat/id3v2.c b/libavformat/id3v2.c
index 90314583a74..e3f7f9e2a90 100644
--- a/libavformat/id3v2.c
+++ b/libavformat/id3v2.c
@@ -341,10 +341,13 @@ static void read_ttag(AVFormatContext *s, AVIOContext *pb, int taglen,
taglen--; /* account for encoding type byte */
while (taglen > 1) {
+ int current_taglen = taglen;
if (decode_str(s, pb, encoding, &dst, &taglen) < 0) {
av_log(s, AV_LOG_ERROR, "Error reading frame %s, skipped\n", key);
return;
}
+ if (current_taglen == taglen)
+ return;
count++;
--
2.49.0
More information about the ffmpeg-devel
mailing list