1.1 --- a/src/codecs/mp3utils.c	Wed Dec 11 18:55:02 2019 +0300
     1.2 +++ b/src/codecs/mp3utils.c	Wed Dec 11 18:56:50 2019 +0300
     1.3 @@ -219,11 +219,11 @@
     1.4      Sint32 i, j, imgext_ofs, version_ofs;
     1.5      long len;
     1.6  
     1.7 -    /* calc. the image extension section ofs */
     1.8      MP3_RWseek(m, -68, RW_SEEK_END);
     1.9      MP3_RWread(m, buf, 1, 20);
    1.10      imgext_ofs  = (Sint32)((buf[3] <<24) | (buf[2] <<16) | (buf[1] <<8) | buf[0] );
    1.11      version_ofs = (Sint32)((buf[15]<<24) | (buf[14]<<16) | (buf[13]<<8) | buf[12]);
    1.12 +    if (version_ofs <= imgext_ofs) return -1;
    1.13      /* Try finding the version info section:
    1.14       * Because metadata section comes after it, and because metadata section
    1.15       * has different sizes across versions (format ver. <= 3.00: always 7868
    1.16 @@ -256,8 +256,15 @@
    1.17      #endif
    1.18      len += (version_ofs - imgext_ofs);
    1.19      if (m->length < len) return -1;
    1.20 +    #ifdef MMTAG_PARANOID
    1.21 +    MP3_RWseek(m, -len, RW_SEEK_END);
    1.22 +    MP3_RWread(m, buf, 1, 8);
    1.23 +    j = (Sint32)((buf[7] <<24) | (buf[6] <<16) | (buf[5] <<8) | buf[4]);
    1.24 +    /* verify image size: */
    1.25 +    if (j + 12 != version_ofs - imgext_ofs) return -1;
    1.26 +    #endif
    1.27 +    /* try finding the optional header */
    1.28      if (m->length < len + 256) return len;
    1.29 -    /* try finding the optional header */
    1.30      MP3_RWseek(m, -(len + 256), RW_SEEK_END);
    1.31      MP3_RWread(m, buf, 1, 256);
    1.32      /* [0..9]: sync string, [30..255]: 0x20 */