From: Alex Converse <alex.converse@gmail.com>
Date: Thu, 26 May 2011 00:57:33 +0000 (-0700)
Subject: id3v2: Check malloc result. ID3v2 tags can be very large.
X-Git-Tag: v0.7rc1~279
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=86f868771bac89168086285b71186fd8cf934cc3;p=platform%2Fupstream%2Flibav.git

id3v2: Check malloc result. ID3v2 tags can be very large.
---

diff --git a/libavformat/id3v2.c b/libavformat/id3v2.c
index 948261a..06ae6f8 100644
--- a/libavformat/id3v2.c
+++ b/libavformat/id3v2.c
@@ -237,7 +237,7 @@ static void ff_id3v2_parse(AVFormatContext *s, int len, uint8_t version, uint8_t
             tag[3] = 0;
             tlen = avio_rb24(s->pb);
         }
-        if (tlen < 0 || tlen > len - taghdrlen) {
+        if (tlen <= 0 || tlen > len - taghdrlen) {
             av_log(s, AV_LOG_WARNING, "Invalid size in frame %s, skipping the rest of tag.\n", tag);
             break;
         }
@@ -256,6 +256,10 @@ static void ff_id3v2_parse(AVFormatContext *s, int len, uint8_t version, uint8_t
             if (unsync || tunsync) {
                 int i, j;
                 av_fast_malloc(&buffer, &buffer_size, tlen);
+                if (!buffer) {
+                    av_log(s, AV_LOG_ERROR, "Failed to alloc %d bytes\n", tlen);
+                    goto seek;
+                }
                 for (i = 0, j = 0; i < tlen; i++, j++) {
                     buffer[j] = avio_r8(s->pb);
                     if (j > 0 && !buffer[j] && buffer[j - 1] == 0xff) {
@@ -276,6 +280,7 @@ static void ff_id3v2_parse(AVFormatContext *s, int len, uint8_t version, uint8_t
             break;
         }
         /* Skip to end of tag */
+seek:
         avio_seek(s->pb, next, SEEK_SET);
     }