id3v2: prevent unsigned integer overflow in ff_id3v2_parse()

In ff_id3v2_parse(), prevent unsigned integer overflow if data length indicator is skipped and tlen is < 4. Fix crash decoding file Allaby_cut.mp3, fix trac issue #182.
author: Stefano Sabatini <stefano.sabatini-lala@poste.it> 2011-05-18 00:43:25 +0200
committer: Stefano Sabatini <stefano.sabatini-lala@poste.it> 2011-05-18 10:35:52 +0200
commit: 64be0d1edad630f5bc0f287022f5880de07915b2 (patch)
tree: ec0b6f0c83c5d9cb4ae5ccf90a9ed082d7e37ddc
parent: b69e5ee9027ddc1820796253f2d2bcd4e6fdba00 (diff)
download: ffmpeg-64be0d1edad630f5bc0f287022f5880de07915b2.tar.gz
1 files changed, 2 insertions, 0 deletions
diff --git a/libavformat/id3v2.c b/libavformat/id3v2.c
index e1958bdf4f..3640b11ab1 100644
--- a/libavformat/id3v2.c
+++ b/libavformat/id3v2.c
@@ -255,6 +255,8 @@ static void ff_id3v2_parse(AVFormatContext *s, int len, uint8_t version, uint8_t
         next = avio_tell(s->pb) + tlen;
 
         if (tflags & ID3v2_FLAG_DATALEN) {
+            if (tlen < 4)
+                break;
             avio_rb32(s->pb);
             tlen -= 4;
         }
author	Stefano Sabatini <stefano.sabatini-lala@poste.it>	2011-05-18 00:43:25 +0200
committer	Stefano Sabatini <stefano.sabatini-lala@poste.it>	2011-05-18 10:35:52 +0200
commit	64be0d1edad630f5bc0f287022f5880de07915b2 (patch)
tree	ec0b6f0c83c5d9cb4ae5ccf90a9ed082d7e37ddc
parent	b69e5ee9027ddc1820796253f2d2bcd4e6fdba00 (diff)
download	ffmpeg-64be0d1edad630f5bc0f287022f5880de07915b2.tar.gz