2 files changed, 14 insertions, 4 deletions

diff --git a/ChangeLog b/ChangeLog
index 868601e85..3ca7d3f98 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -81,6 +81,7 @@ xine-lib (1.1.16.3) 2009-04-03
     - Fix another possible int overflow in the 4XM demuxer.
       (ref. TKADV2009-004, CVE-2009-0698)
     - Fix an integer overflow in the Quicktime demuxer.
+      (TKADV2009-005, CVE-2009-1274)
   * Enable libmpeg2new (if configured with --enable-libmpeg2new).
     This is not yet production code; the old mpeg2 decoder remains the default.
   * Add support for OpenBSD.
diff --git a/src/demuxers/id3.c b/src/demuxers/id3.c
index 1919239e6..6ca05aa86 100644
--- a/src/demuxers/id3.c
+++ b/src/demuxers/id3.c
@@ -273,9 +273,12 @@ static int id3v22_parse_frame_header(input_plugin_t *input,
 static int id3v22_interp_frame(input_plugin_t *input,
                                xine_stream_t *stream,
                                id3v22_frame_header_t *frame_header) {
-  char buf[frame_header->size + 2];
+  const size_t bufsize = frame_header->size + 2;
+  if ( bufsize < 3 ) /* frames has to be _at least_ 1 byte */
+    return 0;
+  char buf[bufsize];  
   int enc;
-  
+
   if (input->read (input, buf, frame_header->size) == frame_header->size) {
     buf[frame_header->size] = 0;
     buf[frame_header->size + 1] = 0;
@@ -460,7 +463,10 @@ static int id3v23_parse_frame_ext_header(input_plugin_t *input,
 static int id3v23_interp_frame(input_plugin_t *input,
                                xine_stream_t *stream,
                                id3v23_frame_header_t *frame_header) {
-  char buf[frame_header->size + 2];
+  const size_t bufsize = frame_header->size + 2;
+  if ( bufsize < 3 ) /* frames has to be _at least_ 1 byte */
+    return 0;
+  char buf[bufsize];
   int enc;
 
   if (input->read (input, buf, frame_header->size) == frame_header->size) {
@@ -704,7 +710,10 @@ static int id3v24_parse_ext_header(input_plugin_t *input,
 static int id3v24_interp_frame(input_plugin_t *input,
                                xine_stream_t *stream,
                                id3v24_frame_header_t *frame_header) {
-  char buf[frame_header->size + 2];
+  const size_t bufsize = frame_header->size + 2;
+  if ( bufsize < 3 ) /* frames has to be _at least_ 1 byte */
+    return 0;
+  char buf[bufsize];
   int enc;
 
   if (input->read (input, buf, frame_header->size) == frame_header->size) {