Fix id3v2 extended header handling.

When skipping over the extended header, take into account that the size field has already been read. The extended header also takes up space, so adjust total header length accordingly. Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
author: Adrian Drzewiecki <adrian.drzewiecki@gmail.com> 2011-12-01 23:27:41 +0100
committer: Michael Niedermayer <michaelni@gmx.at> 2011-12-01 23:27:41 +0100
commit: dd7453a24ef6697b3cebfb1abb1e433d36fade62 (patch)
tree: cebaf9ca14224f9869c32c4ce6ea3b24a200c73c /libavformat/id3v2.c
parent: 18abf46b6fb5e640404941c40e53c79018997b13 (diff)
1 files changed, 16 insertions, 2 deletions
diff --git a/libavformat/id3v2.c b/libavformat/id3v2.c
index 4d44c3c269..7797cca091 100644
--- a/libavformat/id3v2.c
+++ b/libavformat/id3v2.c
@@ -456,8 +456,22 @@ static void ff_id3v2_parse(AVFormatContext *s, int len, uint8_t version, uint8_t
 
     unsync = flags & 0x80;
 
-    if (isv34 && flags & 0x40) /* Extended header present, just skip over it */
-        avio_skip(s->pb, get_size(s->pb, 4));
+    /* Extended header present, just skip over it */
+    if (isv34 && flags & 0x40) {
+        int size = get_size(s->pb, 4);
+        if (size < 6) {
+            reason = "extended header too short.";
+            goto error;
+        }
+        len -= size;
+        if (len < 0) {
+            reason = "extended header too long.";
+            goto error;
+        }
+        /* already seeked past size, skip the reset */
+        size -= 4;
+        avio_skip(s->pb, size);
+    }
 
     while (len >= taghdrlen) {
         unsigned int tflags = 0;
author	Adrian Drzewiecki <adrian.drzewiecki@gmail.com>	2011-12-01 23:27:41 +0100
committer	Michael Niedermayer <michaelni@gmx.at>	2011-12-01 23:27:41 +0100
commit	dd7453a24ef6697b3cebfb1abb1e433d36fade62 (patch)
tree	cebaf9ca14224f9869c32c4ce6ea3b24a200c73c /libavformat/id3v2.c
parent	18abf46b6fb5e640404941c40e53c79018997b13 (diff)