RepoMirrors/ffmpeg
1
0
Fork 0
mirror of https://git.ffmpeg.org/ffmpeg.git synced 2025-03-20 01:50:30 +00:00
Code Issues Projects Releases Wiki Activity

id3v2: Check malloc result. ID3v2 tags can be very large.

Browse Source
This commit is contained in:
Alex Converse 2011-05-25 17:57:33 -07:00
parent 40a5dd2f35
commit 86f868771b
1 changed files with 6 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
libavformat/id3v2.c
View File

@ -237,7 +237,7 @@ static void ff_id3v2_parse(AVFormatContext *s, int len, uint8_t version, uint8_t
tag[3] = 0; tag[3] = 0;
tlen = avio_rb24(s->pb); tlen = avio_rb24(s->pb);
} }
if (tlen < 0 || tlen > len - taghdrlen) { if (tlen <= 0 || tlen > len - taghdrlen) {
av_log(s, AV_LOG_WARNING, "Invalid size in frame %s, skipping the rest of tag.\n", tag); av_log(s, AV_LOG_WARNING, "Invalid size in frame %s, skipping the rest of tag.\n", tag);
break; break;
} }
@ -256,6 +256,10 @@ static void ff_id3v2_parse(AVFormatContext *s, int len, uint8_t version, uint8_t
if (unsync || tunsync) { if (unsync || tunsync) {
int i, j; int i, j;
av_fast_malloc(&buffer, &buffer_size, tlen); av_fast_malloc(&buffer, &buffer_size, tlen);
if (!buffer) {
av_log(s, AV_LOG_ERROR, "Failed to alloc %d bytes\n", tlen);
goto seek;
}
for (i = 0, j = 0; i < tlen; i++, j++) { for (i = 0, j = 0; i < tlen; i++, j++) {
buffer[j] = avio_r8(s->pb); buffer[j] = avio_r8(s->pb);
if (j > 0 && !buffer[j] && buffer[j - 1] == 0xff) { if (j > 0 && !buffer[j] && buffer[j - 1] == 0xff) {
@ -276,6 +280,7 @@ static void ff_id3v2_parse(AVFormatContext *s, int len, uint8_t version, uint8_t
break; break;
} }
/* Skip to end of tag */ /* Skip to end of tag */
seek:
avio_seek(s->pb, next, SEEK_SET); avio_seek(s->pb, next, SEEK_SET);
} }