From 64be0d1edad630f5bc0f287022f5880de07915b2 Mon Sep 17 00:00:00 2001
From: Stefano Sabatini <stefano.sabatini-lala@poste.it>
Date: Wed, 18 May 2011 00:43:25 +0200
Subject: [PATCH] id3v2: prevent unsigned integer overflow in ff_id3v2_parse()

In ff_id3v2_parse(), prevent unsigned integer overflow if data length
indicator is skipped and tlen is < 4.

Fix crash decoding file Allaby_cut.mp3, fix trac issue #182.
---
 libavformat/id3v2.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/libavformat/id3v2.c b/libavformat/id3v2.c
index e1958bdf4f..3640b11ab1 100644
--- a/libavformat/id3v2.c
+++ b/libavformat/id3v2.c
@@ -255,6 +255,8 @@ static void ff_id3v2_parse(AVFormatContext *s, int len, uint8_t version, uint8_t
         next = avio_tell(s->pb) + tlen;
 
         if (tflags & ID3v2_FLAG_DATALEN) {
+            if (tlen < 4)
+                break;
             avio_rb32(s->pb);
             tlen -= 4;
         }