Add check for ID3v2 frame data length (#1300)

Also fix some wrong frame sizes in the unit tests. --------- Co-authored-by: Urs Fleisch <ufleisch@users.sourceforge.net>
2026-04-12 17:09:50 -04:00 · 2026-01-31 01:24:54 -06:00
parent 51f431c96a
commit 397b6c1de3
2 changed files with 16 additions and 6 deletions
--- a/taglib/mpeg/id3v2/id3v2frame.cpp
+++ b/taglib/mpeg/id3v2/id3v2frame.cpp
@ -295,6 +295,13 @@ ByteVector Frame::fieldData(const ByteVector &frameData) const
    frameDataLength = SynchData::toUInt(frameData.mid(headerSize, 4));
    frameDataOffset += 4;
  }
+  if(frameData.size() >= headerSize &&
+     frameDataOffset + frameDataLength > frameData.size()) {
+    // The first check is needed because some "dual purpose" frame constructors
+    // call this method with only the frame ID, i.e. without a complete header.
+    debug("Invalid frame data length");
+    return ByteVector();
+  }

  if(zlib::isAvailable() && d->header->compression() && !d->header->encryption()) {
    if(frameData.size() <= frameDataOffset) {