diff options
| author | Anton Khirnov <anton@khirnov.net> | 2012-03-31 07:52:42 +0200 |
|---|---|---|
| committer | Anton Khirnov <anton@khirnov.net> | 2012-04-01 09:02:24 +0200 |
| commit | ddb4431208745ea270dce8fce4cba999f0ed4303 (patch) | |
| tree | cdacc9e0492caa0bb0451cb248ac77312952d639 /libavformat/id3v2.c | |
| parent | 420d1df2e2a857eae45fa947e16eae7494793d57 (diff) | |
id3v2: fix skipping extended header in id3v2.4
In v2.4, the length includes the length field itself.
Diffstat (limited to 'libavformat/id3v2.c')
| -rw-r--r-- | libavformat/id3v2.c | 13 |
1 files changed, 11 insertions, 2 deletions
diff --git a/libavformat/id3v2.c b/libavformat/id3v2.c index 9488fd856d..3891897bb3 100644 --- a/libavformat/id3v2.c +++ b/libavformat/id3v2.c @@ -561,8 +561,17 @@ static void ff_id3v2_parse(AVFormatContext *s, int len, uint8_t version, uint8_t unsync = flags & 0x80; - if (isv34 && flags & 0x40) /* Extended header present, just skip over it */ - avio_skip(s->pb, get_size(s->pb, 4)); + if (isv34 && flags & 0x40) { /* Extended header present, just skip over it */ + int extlen = get_size(s->pb, 4); + if (version == 4) + extlen -= 4; // in v2.4 the length includes the length field we just read + + if (extlen < 0) { + reason = "invalid extended header length"; + goto error; + } + avio_skip(s->pb, extlen); + } while (len >= taghdrlen) { unsigned int tflags = 0; |