aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorAlex Converse <alex.converse@gmail.com>2011-05-25 17:57:33 -0700
committerAlex Converse <alex.converse@gmail.com>2011-05-26 13:16:03 -0700
commit86f868771bac89168086285b71186fd8cf934cc3 (patch)
treecfa41e189d67464df185b096e8dd5bce82064c1b
parent40a5dd2f35e0cfcfb92475a8f305fb6f78038507 (diff)
downloadffmpeg-86f868771bac89168086285b71186fd8cf934cc3.tar.gz
id3v2: Check malloc result. ID3v2 tags can be very large.
-rw-r--r--libavformat/id3v2.c7
1 files changed, 6 insertions, 1 deletions
diff --git a/libavformat/id3v2.c b/libavformat/id3v2.c
index 948261ad97..06ae6f8b90 100644
--- a/libavformat/id3v2.c
+++ b/libavformat/id3v2.c
@@ -237,7 +237,7 @@ static void ff_id3v2_parse(AVFormatContext *s, int len, uint8_t version, uint8_t
tag[3] = 0;
tlen = avio_rb24(s->pb);
}
- if (tlen < 0 || tlen > len - taghdrlen) {
+ if (tlen <= 0 || tlen > len - taghdrlen) {
av_log(s, AV_LOG_WARNING, "Invalid size in frame %s, skipping the rest of tag.\n", tag);
break;
}
@@ -256,6 +256,10 @@ static void ff_id3v2_parse(AVFormatContext *s, int len, uint8_t version, uint8_t
if (unsync || tunsync) {
int i, j;
av_fast_malloc(&buffer, &buffer_size, tlen);
+ if (!buffer) {
+ av_log(s, AV_LOG_ERROR, "Failed to alloc %d bytes\n", tlen);
+ goto seek;
+ }
for (i = 0, j = 0; i < tlen; i++, j++) {
buffer[j] = avio_r8(s->pb);
if (j > 0 && !buffer[j] && buffer[j - 1] == 0xff) {
@@ -276,6 +280,7 @@ static void ff_id3v2_parse(AVFormatContext *s, int len, uint8_t version, uint8_t
break;
}
/* Skip to end of tag */
+seek:
avio_seek(s->pb, next, SEEK_SET);
}