Do not loop endlessly if id3v2 tag size is negative / too large.

Fixes the sample from issue 2649.

Do not loop endlessly if id3v2 tag size is negative / too large.
Fixes the sample from issue 2649.
ac533ac4 · Carl Eugen Hoyos · 2a8175ff · ac533ac4
Commit ac533ac4 authored Mar 07, 2011 by Carl Eugen Hoyos
Hide whitespace changes
Inline Side-by-side

Showing with 4 additions and 1 deletion

id3v2.c libavformat/id3v2.c +4 -1

No files found.
--- a/libavformat/id3v2.c
+++ b/libavformat/id3v2.c
@@ -138,7 +138,8 @@ static void read_ttag(AVFormatContext *s, AVIOContext *pb, int taglen, const cha

 static void ff_id3v2_parse(AVFormatContext *s, int len, uint8_t version, uint8_t flags)
 {
-    int isv34, tlen, unsync;
+    int isv34, unsync;
+    unsigned tlen;
    char tag[5];
    int64_t next;
    int taghdrlen;
@@ -191,6 +192,8 @@ static void ff_id3v2_parse(AVFormatContext *s, int len, uint8_t version, uint8_t
            tag[3] = 0;
            tlen = avio_rb24(s->pb);
        }
+        if (tlen > (1<<28))
+            break;
        len -= taghdrlen + tlen;

        if (len < 0)