Skip to content

F
ffmpeg.wasm-core
Commit ac533ac4 authored by Carl Eugen Hoyos's avatar Carl Eugen Hoyos
Browse files
Options

Do not loop endlessly if id3v2 tag size is negative / too large. 

Fixes the sample from issue 2649.
parent 2a8175ff
Hide whitespace changes
Inline Side-by-side
Showing with 4 additions and 1 deletion
libavformat/id3v2.c
View file @ ac533ac4
...@@ -138,7 +138,8 @@ static void read_ttag(AVFormatContext *s, AVIOContext *pb, int taglen, const cha ...@@ -138,7 +138,8 @@ static void read_ttag(AVFormatContext *s, AVIOContext *pb, int taglen, const cha
static void ff_id3v2_parse(AVFormatContext *s, int len, uint8_t version, uint8_t flags) static void ff_id3v2_parse(AVFormatContext *s, int len, uint8_t version, uint8_t flags)
{ {
int isv34, tlen, unsync; int isv34, unsync;
unsigned tlen;
char tag[5]; char tag[5];
int64_t next; int64_t next;
int taghdrlen; int taghdrlen;
...@@ -191,6 +192,8 @@ static void ff_id3v2_parse(AVFormatContext *s, int len, uint8_t version, uint8_t ...@@ -191,6 +192,8 @@ static void ff_id3v2_parse(AVFormatContext *s, int len, uint8_t version, uint8_t
tag[3] = 0; tag[3] = 0;
tlen = avio_rb24(s->pb); tlen = avio_rb24(s->pb);
} }
if (tlen > (1<<28))
break;
len -= taghdrlen + tlen; len -= taghdrlen + tlen;
if (len < 0) if (len < 0)
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment