id3v2: fix skipping extended header in id3v2.4
In v2.4, the length includes the length field itself.
(cherry picked from commit ddb4431208745ea270dce8fce4cba999f0ed4303)
Conflicts:
libavformat/id3v2.c
Signed-off-by: Anton Khirnov <anton@khirnov.net>
diff --git a/libavformat/mp3.c b/libavformat/mp3.c
index fa383d6..ca41408 100644
--- a/libavformat/mp3.c
+++ b/libavformat/mp3.c
@@ -246,8 +246,17 @@
goto error;
}
- if(isv34 && flags & 0x40) /* Extended header present, just skip over it */
- url_fskip(s->pb, id3v2_get_size(s->pb, 4));
+ if (isv34 && flags & 0x40) { /* Extended header present, just skip over it */
+ int extlen = id3v2_get_size(s->pb, 4);
+ if (version == 4)
+ extlen -= 4; // in v2.4 the length includes the length field we just read
+
+ if (extlen < 0) {
+ reason = "invalid extended header length";
+ goto error;
+ }
+ url_fskip(s->pb, extlen);
+ }
while(len >= taghdrlen) {
if(isv34) {