id3v2: allocate large enough buffer

Fixes array overread Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

id3v2: allocate large enough buffer
Fixes array overread Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
24cfe91a · Michael Niedermayer · aa28c425 · 24cfe91a
Commit 24cfe91a authored Mar 29, 2013 by Michael Niedermayer
Hide whitespace changes
Inline Side-by-side

Showing with 2 additions and 1 deletion

id3v2.c libavformat/id3v2.c +2 -1

No files found.
--- a/libavformat/id3v2.c
+++ b/libavformat/id3v2.c
@@ -489,7 +489,8 @@ static void read_apic(AVFormatContext *s, AVIOContext *pb, int taglen, char *tag
        goto fail;
    }
-    apic->buf = av_buffer_alloc(taglen);
+    apic->buf = av_buffer_alloc(taglen + FF_INPUT_BUFFER_PADDING_SIZE);
+    apic->buf->size -= FF_INPUT_BUFFER_PADDING_SIZE;
    if (!apic->buf || !taglen || avio_read(pb, apic->buf->data, taglen) != taglen)
        goto fail;