From 69bc8833d2108303d7984cab5e1ad5f49dd66085 Mon Sep 17 00:00:00 2001
From: Thibaut Mattern <thibaut.mattern@gmail.com>
Date: Thu, 7 Feb 2008 22:36:52 +0100
Subject: Improve detection of MP3 streams with ID3v2 tags. Don't trust the tag
 size.

---
 ChangeLog                     | 2 ++
 src/demuxers/demux_mpgaudio.c | 5 ++---
 2 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 5cbde5090..02634b43d 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -4,6 +4,8 @@ xine-lib (1.1.10.1) unreleased
       arbitrary code via a crafted FLAC tag, causing a stack buffer overflow.
       (CVE-2008-0486)
   * Fix a RealPlayer codec detection bug.
+  * Improve detection of MP3 streams with ID3v2 tags. Don't trust the tag
+    size.
 
 xine-lib (1.1.10) 2008-01-26
   * Security fixes:
diff --git a/src/demuxers/demux_mpgaudio.c b/src/demuxers/demux_mpgaudio.c
index 1bea02302..82a7dd7ab 100644
--- a/src/demuxers/demux_mpgaudio.c
+++ b/src/demuxers/demux_mpgaudio.c
@@ -807,7 +807,6 @@ static int demux_mpgaudio_read_head(input_plugin_t *input, uint8_t *buf) {
  * return 1 if detected, 0 otherwise
  */
 static int detect_mpgaudio_file(input_plugin_t *input) {
-  mpg_audio_frame_t frame;
   uint8_t buf[MAX_PREVIEW_SIZE];
   int preview_len;
   uint32_t head;
@@ -838,8 +837,8 @@ static int detect_mpgaudio_file(input_plugin_t *input) {
       lprintf("cannot read mp3 frame header\n");
       return 0;
     }
-    if (!parse_frame_header(&frame, &buf[10 + tag_size])) {
-      lprintf ("invalid mp3 frame header\n");
+    if (!sniff_buffer_looks_like_mp3(&buf[10 + tag_size], preview_len - 10 - tag_size)) {
+      lprintf ("sniff_buffer_looks_like_mp3 failed\n");
       return 0;
     } else {
       lprintf ("a valid mp3 frame follows the id3v2 tag\n");
-- 
cgit v1.2.3