OSDN Git Service
(root)
/
android-x86
/
external-ffmpeg.git
/ commitdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
| commitdiff |
tree
raw
|
patch
| inline |
side by side
(parent:
2a8175f
)
Do not loop endlessly if id3v2 tag size is negative / too large.
author
Carl Eugen Hoyos
<cehoyos@ag.or.at>
Mon, 7 Mar 2011 22:18:36 +0000
(23:18 +0100)
committer
Carl Eugen Hoyos
<cehoyos@ag.or.at>
Mon, 7 Mar 2011 22:32:26 +0000
(23:32 +0100)
Fixes the sample from issue 2649.
libavformat/id3v2.c
patch
|
blob
|
history
diff --git
a/libavformat/id3v2.c
b/libavformat/id3v2.c
index
7635735
..
37443a4
100644
(file)
--- a/
libavformat/id3v2.c
+++ b/
libavformat/id3v2.c
@@
-138,7
+138,8
@@
static void read_ttag(AVFormatContext *s, AVIOContext *pb, int taglen, const cha
static void ff_id3v2_parse(AVFormatContext *s, int len, uint8_t version, uint8_t flags)
{
- int isv34, tlen, unsync;
+ int isv34, unsync;
+ unsigned tlen;
char tag[5];
int64_t next;
int taghdrlen;
@@
-191,6
+192,8
@@
static void ff_id3v2_parse(AVFormatContext *s, int len, uint8_t version, uint8_t
tag[3] = 0;
tlen = avio_rb24(s->pb);
}
+ if (tlen > (1<<28))
+ break;
len -= taghdrlen + tlen;
if (len < 0)
OSDN Git Service
