[FFmpeg-cvslog] Fix id3v2 extended header handling.

[Adrian Drzewiecki]

ffmpeg | branch: master | Adrian Drzewiecki <adrian.drzewiecki at gmail.com> | Thu Dec  1 23:27:41 2011 +0100| [dd7453a24ef6697b3cebfb1abb1e433d36fade62] | committer: Michael Niedermayer

Fix id3v2 extended header handling.

When skipping over the extended header, take into account
that the size field has already been read. The extended header
also takes up space, so adjust total header length accordingly.

Signed-off-by: Michael Niedermayer <michaelni at gmx.at>

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=dd7453a24ef6697b3cebfb1abb1e433d36fade62
---

 libavformat/id3v2.c |   18 ++++++++++++++++--
 1 files changed, 16 insertions(+), 2 deletions(-)

diff --git a/libavformat/id3v2.c b/libavformat/id3v2.c
index 4d44c3c..7797cca 100644
--- a/libavformat/id3v2.c
+++ b/libavformat/id3v2.c
@@ -456,8 +456,22 @@ static void ff_id3v2_parse(AVFormatContext *s, int len, uint8_t version, uint8_t
 
     unsync = flags & 0x80;
 
-    if (isv34 && flags & 0x40) /* Extended header present, just skip over it */
-        avio_skip(s->pb, get_size(s->pb, 4));
+    /* Extended header present, just skip over it */
+    if (isv34 && flags & 0x40) {
+        int size = get_size(s->pb, 4);
+        if (size < 6) {
+            reason = "extended header too short.";
+            goto error;
+        }
+        len -= size;
+        if (len < 0) {
+            reason = "extended header too long.";
+            goto error;
+        }
+        /* already seeked past size, skip the reset */
+        size -= 4;
+        avio_skip(s->pb, size);
+    }
 
     while (len >= taghdrlen) {
         unsigned int tflags = 0;