Commit 10416a4d authored by Michael Niedermayer's avatar Michael Niedermayer

id3v2: check index against buffer size. Fix out of array access

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: 's avatarMichael Niedermayer <michaelni@gmx.at>
parent 0b14c197
......@@ -704,9 +704,9 @@ static void ff_id3v2_parse(AVFormatContext *s, int len, uint8_t version, uint8_t
uint8_t *b;
b = buffer;
while (avio_tell(s->pb) < end) {
while (avio_tell(s->pb) < end && b - buffer < tlen) {
*b++ = avio_r8(s->pb);
if (*(b - 1) == 0xff && avio_tell(s->pb) < end - 1) {
if (*(b - 1) == 0xff && avio_tell(s->pb) < end - 1 && b - buffer < tlen) {
uint8_t val = avio_r8(s->pb);
*b++ = val ? val : avio_r8(s->pb);
}
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment