Signed-off-by: David Goldwich <[email protected]>
---
libavformat/oma.c | 16 +++++++++++-----
1 files changed, 11 insertions(+), 5 deletions(-)
diff --git a/libavformat/oma.c b/libavformat/oma.c
index 0d81a43..4f4837d 100644
--- a/libavformat/oma.c
+++ b/libavformat/oma.c
@@ -394,14 +394,20 @@ static int oma_read_probe(AVProbeData *p)
unsigned tag_len = 0;
buf = p->buf;
- /* version must be 3 and flags byte zero */
- if (ff_id3v2_match(buf, ID3v2_EA3_MAGIC) && buf[3] == 3 && !buf[4])
- tag_len = ff_id3v2_tag_len(buf);
- // This check cannot overflow as tag_len has at most 28 bits
- if (p->buf_size < tag_len + 5)
+ if (p->buf_size < ID3v2_HEADER_SIZE ||
+ !ff_id3v2_match(buf, ID3v2_EA3_MAGIC) ||
+ buf[3] != 3 || // version must be 3
+ buf[4]) // flags byte zero
return 0;
+ tag_len = ff_id3v2_tag_len(buf);
+
+ /* This check cannot overflow as tag_len has at most 28 bits */
+ if (p->buf_size < tag_len + 5)
+ /* EA3 header comes late, might be outside of the probe buffer */
+ return AVPROBE_SCORE_MAX / 2;
+
buf += tag_len;
if (!memcmp(buf, "EA3", 3) && !buf[4] && buf[5] == EA3_HEADER_SIZE)
--
1.7.5.4
_______________________________________________
libav-devel mailing list
[email protected]
https://lists.libav.org/mailman/listinfo/libav-devel
