From 41da64d9270b2fa10c93ce74dea014fe8f0bd303 Mon Sep 17 00:00:00 2001
From: Erik de Castro Lopo <erikd@mega-nerd.com>
Date: Sat, 5 Nov 2011 09:49:14 +1100
Subject: [PATCH] src/id3.c : Fix a stack overflow when parsing a file with multiple ID3 headers.

---
 ChangeLog |    8 ++++++++
 src/id3.c |   11 ++++++++---
 2 files changed, 16 insertions(+), 3 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 380aa4c..3fe35fc 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,11 @@
+2011-11-05  Erik de Castro Lopo  <erikd AT mega-nerd DOT com>
+
+    * src/id3.c
+    Fix a stack overflow that can occur when parsing a file with multiple
+    ID3 headers which would cause libsndfile to go into an infinite recursion
+    until it blew the stack. Thanks to Anders Svensson for supplying an example
+    file.
+
 2011-10-30  Erik de Castro Lopo  <erikd AT mega-nerd DOT com>
 
     * src/double64.c src/float32.c src/common.h
diff --git a/src/id3.c b/src/id3.c
index a1a189e..2fd0a0b 100644
--- a/src/id3.c
+++ b/src/id3.c
@@ -40,11 +40,16 @@ id3_skip (SF_PRIVATE * psf)
 		offset = (offset << 7) | (buf [8] & 0x7f) ;
 		offset = (offset << 7) | (buf [9] & 0x7f) ;
 
-		psf_binheader_readf (psf, "j", make_size_t (offset)) ;
-
 		psf_log_printf (psf, "ID3 length : %d\n--------------------\n", offset) ;
 
-		psf->fileoffset = 10 + offset ;
+		/* Never want to jump backwards in a file. */
+		if (offset < 0)
+			return 0 ;
+
+		/* Calculate new file offset and position ourselves there. */
+		psf->fileoffset += offset + 10 ;
+		psf_binheader_readf (psf, "p", psf->fileoffset) ;
+
 		return 1 ;
 		} ;
 
-- 
1.7.4.1