From c5f4c0fd5c791ba97eb266cc30ae2172c10feb20 Mon Sep 17 00:00:00 2001
From: Anton Khirnov <anton@khirnov.net>
Date: Tue, 22 Mar 2011 10:35:35 +0100
Subject: id3v2: skip broken tags with invalid size

fixes issue2649.
---
 libavformat/id3v2.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

(limited to 'libavformat/id3v2.c')

diff --git a/libavformat/id3v2.c b/libavformat/id3v2.c
index 96f3e1c61a..4fecffe6ba 100644
--- a/libavformat/id3v2.c
+++ b/libavformat/id3v2.c
@@ -237,11 +237,11 @@ static void ff_id3v2_parse(AVFormatContext *s, int len, uint8_t version, uint8_t
             tag[3] = 0;
             tlen = avio_rb24(s->pb);
         }
-        len -= taghdrlen + tlen;
-
-        if (len < 0)
+        if (tlen < 0 || tlen > len - taghdrlen) {
+            av_log(s, AV_LOG_WARNING, "Invalid size in frame %s, skipping the rest of tag.\n", tag);
             break;
-
+        }
+        len -= taghdrlen + tlen;
         next = avio_tell(s->pb) + tlen;
 
         if (tflags & ID3v2_FLAG_DATALEN) {
-- 
cgit v1.2.3