Hi, for the maintainer libid3tag.
I found an infinite loop bug in libid3tag-0.15.0b library, which causes memory overflow.
The problem occurs when parsing an ID3_FIELD_TYPE_STRINGLIST field, specifically when data to be parsed is ended with '\0'. In this case, **ptr == 0, but the condition end - *ptr is 1 so loop continues infinitely.
*** field.c 2003-04-19 09:14:33.000000000 +0900 --- field-patched.c 2008-01-13 16:08:22.000000000 +0900 *************** *** 291,297 ****
end = *ptr + length;
! while (end - *ptr > 0) { ucs4 = id3_parse_string(ptr, end - *ptr, *encoding, 0); if (ucs4 == 0) goto fail; --- 291,297 ----
end = *ptr + length;
! while (end - *ptr > 0 && **ptr != '\0') { ucs4 = id3_parse_string(ptr, end - *ptr, *encoding, 0); if (ucs4 == 0) goto fail;