From f70c720d42d0e222b70fc580a36832a7b0ef89fa Mon Sep 17 00:00:00 2001
From: Anton Khirnov <anton@khirnov.net>
Date: Sat, 31 Mar 2012 07:52:42 +0200
Subject: [PATCH] id3v2: fix skipping extended header in id3v2.4

In v2.4, the length includes the length field itself.
(cherry picked from commit ddb4431208745ea270dce8fce4cba999f0ed4303)

Conflicts:

	libavformat/id3v2.c

Signed-off-by: Anton Khirnov <anton@khirnov.net>
---
 libavformat/id3v2.c | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/libavformat/id3v2.c b/libavformat/id3v2.c
index 6fa11db6c0..8c1c0710e7 100644
--- a/libavformat/id3v2.c
+++ b/libavformat/id3v2.c
@@ -187,8 +187,17 @@ void ff_id3v2_parse(AVFormatContext *s, int len, uint8_t version, uint8_t flags)
         goto error;
     }
 
-    if (isv34 && flags & 0x40) /* Extended header present, just skip over it */
-        url_fskip(s->pb, get_size(s->pb, 4));
+    if (isv34 && flags & 0x40) { /* Extended header present, just skip over it */
+        int extlen = get_size(s->pb, 4);
+        if (version == 4)
+            extlen -= 4;     // in v2.4 the length includes the length field we just read
+
+        if (extlen < 0) {
+            reason = "invalid extended header length";
+            goto error;
+        }
+        url_fskip(s->pb, extlen);
+    }
 
     while (len >= taghdrlen) {
         if (isv34) {