Browse Source

id3v2: allocate large enough buffer

Fixes array overread

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
tags/n2.0
Michael Niedermayer 13 years ago
parent
commit
24cfe91a22
1 changed files with 2 additions and 1 deletions
  1. +2
    -1
      libavformat/id3v2.c

+ 2
- 1
libavformat/id3v2.c View File

@@ -489,7 +489,8 @@ static void read_apic(AVFormatContext *s, AVIOContext *pb, int taglen, char *tag
goto fail;
}

apic->buf = av_buffer_alloc(taglen);
apic->buf = av_buffer_alloc(taglen + FF_INPUT_BUFFER_PADDING_SIZE);
apic->buf->size -= FF_INPUT_BUFFER_PADDING_SIZE;
if (!apic->buf || !taglen || avio_read(pb, apic->buf->data, taglen) != taglen)
goto fail;



Loading…
Cancel
Save