[FFmpeg-devel] [PATCH] id3v2: prevent unsigned integer overflow in ff_id3v2_parse()

Stefano Sabatini stefano.sabatini-lala at poste.it
Wed May 18 00:48:03 CEST 2011


In ff_id3v2_parse(), prevent unsigned integer overflow if data length
indicator is skipped and tlen is < 4.

Fix crash decoding file Allaby_cut.mp3, fix trac issue #182.
---
 libavformat/id3v2.c |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

diff --git a/libavformat/id3v2.c b/libavformat/id3v2.c
index e1958bd..3eec095 100644
--- a/libavformat/id3v2.c
+++ b/libavformat/id3v2.c
@@ -256,6 +256,8 @@ static void ff_id3v2_parse(AVFormatContext *s, int len, uint8_t version, uint8_t
 
         if (tflags & ID3v2_FLAG_DATALEN) {
             avio_rb32(s->pb);
+            if (tlen < 4)
+                break;
             tlen -= 4;
         }
 
-- 
1.7.2.3



More information about the ffmpeg-devel mailing list