Do not loop endlessly if id3v2 tag size is negative / too large.

Fixes the sample from issue 2649.
author: Carl Eugen Hoyos <cehoyos@ag.or.at> 2011-03-07 23:18:36 +0100
committer: Carl Eugen Hoyos <cehoyos@ag.or.at> 2011-03-07 23:32:26 +0100
commit: ac533ac458b8c75ac68372b34d0ce7c150684585 (patch)
tree: b8637219338d817258f7a8c7f6094b81af7b3bb8 /libavformat/id3v2.c
parent: 2a8175ff9cb7988333b8c3a8a9fec1fa9b60b719 (diff)
download: ffmpeg-ac533ac458b8c75ac68372b34d0ce7c150684585.tar.gz
1 files changed, 4 insertions, 1 deletions
diff --git a/libavformat/id3v2.c b/libavformat/id3v2.c
index 7635735195..37443a4174 100644
--- a/libavformat/id3v2.c
+++ b/libavformat/id3v2.c
@@ -138,7 +138,8 @@ static void read_ttag(AVFormatContext *s, AVIOContext *pb, int taglen, const cha
 
 static void ff_id3v2_parse(AVFormatContext *s, int len, uint8_t version, uint8_t flags)
 {
-    int isv34, tlen, unsync;
+    int isv34, unsync;
+    unsigned tlen;
     char tag[5];
     int64_t next;
     int taghdrlen;
@@ -191,6 +192,8 @@ static void ff_id3v2_parse(AVFormatContext *s, int len, uint8_t version, uint8_t
             tag[3] = 0;
             tlen = avio_rb24(s->pb);
         }
+        if (tlen > (1<<28))
+            break;
         len -= taghdrlen + tlen;
 
         if (len < 0)
author	Carl Eugen Hoyos <cehoyos@ag.or.at>	2011-03-07 23:18:36 +0100
committer	Carl Eugen Hoyos <cehoyos@ag.or.at>	2011-03-07 23:32:26 +0100
commit	ac533ac458b8c75ac68372b34d0ce7c150684585 (patch)
tree	b8637219338d817258f7a8c7f6094b81af7b3bb8 /libavformat/id3v2.c
parent	2a8175ff9cb7988333b8c3a8a9fec1fa9b60b719 (diff)
download	ffmpeg-ac533ac458b8c75ac68372b34d0ce7c150684585.tar.gz