id3v2: check index against buffer size. Fix out of array access

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

id3v2: check index against buffer size. Fix out of array access
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
10416a4d · Michael Niedermayer · 0b14c197 · 10416a4d
Commit 10416a4d authored Nov 29, 2012 by Michael Niedermayer
Hide whitespace changes
Inline Side-by-side

Showing with 2 additions and 2 deletions

id3v2.c libavformat/id3v2.c +2 -2

No files found.
--- a/libavformat/id3v2.c
+++ b/libavformat/id3v2.c
@@ -704,9 +704,9 @@ static void ff_id3v2_parse(AVFormatContext *s, int len, uint8_t version, uint8_t
                uint8_t *b;

                b = buffer;
-                while (avio_tell(s->pb) < end) {
+                while (avio_tell(s->pb) < end && b - buffer < tlen) {
                    *b++ = avio_r8(s->pb);
-                    if (*(b - 1) == 0xff && avio_tell(s->pb) < end - 1) {
+                    if (*(b - 1) == 0xff && avio_tell(s->pb) < end - 1 && b - buffer < tlen) {
                        uint8_t val = avio_r8(s->pb);
                        *b++ = val ? val : avio_r8(s->pb);
                    }