[FFmpeg-devel] [PATCH] id3v2: prevent unsigned integer overflow in ff_id3v2_parse()

Michael Niedermayer michaelni at gmx.at
Wed May 18 04:48:59 CEST 2011


On Wed, May 18, 2011 at 12:48:03AM +0200, Stefano Sabatini wrote:
> In ff_id3v2_parse(), prevent unsigned integer overflow if data length
> indicator is skipped and tlen is < 4.
> 
> Fix crash decoding file Allaby_cut.mp3, fix trac issue #182.
> ---
>  libavformat/id3v2.c |    2 ++
>  1 files changed, 2 insertions(+), 0 deletions(-)
> 
> diff --git a/libavformat/id3v2.c b/libavformat/id3v2.c
> index e1958bd..3eec095 100644
> --- a/libavformat/id3v2.c
> +++ b/libavformat/id3v2.c
> @@ -256,6 +256,8 @@ static void ff_id3v2_parse(AVFormatContext *s, int len, uint8_t version, uint8_t
>  
>          if (tflags & ID3v2_FLAG_DATALEN) {
>              avio_rb32(s->pb);
> +            if (tlen < 4)
> +                break;
>              tlen -= 4;
>          }

ok, maybe put the check before the avio_rb32() but thats just a nitpick
feels odd to read first and then check though it should makes no
difference

[...]
-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

Freedom in capitalist society always remains about the same as it was in
ancient Greek republics: Freedom for slave owners. -- Vladimir Lenin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <http://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20110518/cd18fc7a/attachment.asc>


More information about the ffmpeg-devel mailing list