diff options
| author | Michael Niedermayer <michaelni@gmx.at> | 2012-04-02 01:25:31 +0200 |
|---|---|---|
| committer | Michael Niedermayer <michaelni@gmx.at> | 2012-04-02 01:25:31 +0200 |
| commit | b6cc1c77fd7d6a037c0c0c848c3621c7b1ff33b6 (patch) | |
| tree | c199a1262a7f194a52cb3790790614e4f7f05590 /libavformat/id3v2.c | |
| parent | ceeaf424513fc019228f2cb88ea468940eb61648 (diff) | |
| parent | bc5d86d23d1ad377addf54d65ee665327836075e (diff) | |
| download | ffmpeg-b6cc1c77fd7d6a037c0c0c848c3621c7b1ff33b6.tar.gz | |
Merge remote-tracking branch 'qatar/release/0.7' into release/0.8
* qatar/release/0.7: (84 commits)
id3v2: fix skipping extended header in id3v2.4
Update RELEASE file for 0.7.5
lcl: use AVERROR_INVALIDDATA instead of AVERROR_UNKNOWN
kgv1dec: Increase offsets array size so it is large enough.
kgv1: use avctx->get/release_buffer().
kvmc: fix invalid reads
nsvdec: Propagate error values instead of returning 0 in nsv_read_header().
mjpegbdec: Fix overflow in SOS.
shorten: Use separate pointers for the allocated memory for decoded samples.
shorten: check for realloc failure (cherry picked from commit 9e5e2c2d010c05c10337e9c1ec9d0d61495e0c9c)
atrac3: Fix crash in tonal component decoding.
ws_snd1: Fix wrong samples count and crash.
ws_snd: add some checks to prevent buffer overread or overwrite. (cherry picked from commit 417364ce1f979031ef6fee661fc15e1869bdb1b4)
ws_snd: decode to AV_SAMPLE_FMT_U8 instead of S16.
dca: include libavutil/mathematics.h for possibly missing M_SQRT1_2
h264: stricter reference limit enforcement.
jvdec: unbreak video decoding
xxan: don't read before start of buffer in av_memcpy_backptr().
dsicinvideo: validate buffer offset before copying pixels.
huffyuv: add padding to classic (v1) huffman tables.
...
Conflicts:
RELEASE
libavcodec/atrac3.c
libavcodec/h264.c
libavcodec/h264_parser.c
libavcodec/kgv1dec.c
libavcodec/shorten.c
libavcodec/svq3.c
libavcodec/ws-snd1.c
libavcodec/xxan.c
libswscale/utils.c
Merged-by: Michael Niedermayer <michaelni@gmx.at>
Diffstat (limited to 'libavformat/id3v2.c')
| -rw-r--r-- | libavformat/id3v2.c | 13 |
1 files changed, 11 insertions, 2 deletions
diff --git a/libavformat/id3v2.c b/libavformat/id3v2.c index 930ab5c870..b20501701e 100644 --- a/libavformat/id3v2.c +++ b/libavformat/id3v2.c @@ -224,8 +224,17 @@ static void ff_id3v2_parse(AVFormatContext *s, int len, uint8_t version, uint8_t unsync = flags & 0x80; - if (isv34 && flags & 0x40) /* Extended header present, just skip over it */ - avio_skip(s->pb, get_size(s->pb, 4)); + if (isv34 && flags & 0x40) { /* Extended header present, just skip over it */ + int extlen = get_size(s->pb, 4); + if (version == 4) + extlen -= 4; // in v2.4 the length includes the length field we just read + + if (extlen < 0) { + reason = "invalid extended header length"; + goto error; + } + avio_skip(s->pb, extlen); + } while (len >= taghdrlen) { unsigned int tflags = 0; |