From 2e693be7e9b1a70360dd6849a58fae74b16afba1 Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Sat, 31 Mar 2012 07:52:42 +0200 Subject: [PATCH] id3v2: fix skipping extended header in id3v2.4 In v2.4, the length includes the length field itself. (cherry picked from commit ddb4431208745ea270dce8fce4cba999f0ed4303) Conflicts: libavformat/id3v2.c Signed-off-by: Anton Khirnov --- libavformat/mp3.c | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/libavformat/mp3.c b/libavformat/mp3.c index fa383d6512..ca414082ea 100644 --- a/libavformat/mp3.c +++ b/libavformat/mp3.c @@ -246,8 +246,17 @@ static void id3v2_parse(AVFormatContext *s, int len, uint8_t version, uint8_t fl goto error; } - if(isv34 && flags & 0x40) /* Extended header present, just skip over it */ - url_fskip(s->pb, id3v2_get_size(s->pb, 4)); + if (isv34 && flags & 0x40) { /* Extended header present, just skip over it */ + int extlen = id3v2_get_size(s->pb, 4); + if (version == 4) + extlen -= 4; // in v2.4 the length includes the length field we just read + + if (extlen < 0) { + reason = "invalid extended header length"; + goto error; + } + url_fskip(s->pb, extlen); + } while(len >= taghdrlen) { if(isv34) {