Better inline the patch...

--- field.c 2014-02-16 04:16:09.109211967 +0100 +++ field2.c 2014-02-16 04:25:58.969814710 +0100 @@ -295,8 +295,6 @@ ucs4 = id3_parse_string(ptr, end - *ptr, *encoding, 0); if (ucs4 == 0) goto fail; - if (*ucs4 == 0) - break;

strings = realloc(field->stringlist.strings, (field->stringlist.nstrings + 1) * sizeof(*strings));

2014-02-16 15:13 GMT+01:00 Tomáš Nechutný nechtom@gmail.com:

Hello.

The loop that parses strings from STRINGLIST in field.c on line 294 depends only on length parameter and on function id3_utf16_deserialize() to move the pointer *ptr by length or more in case of UTF16. However, in several files with UTF16 ID3 tags on my PC the *ptr pointer was moved by one byte less. Following calls of id3_utf16_deserialize() didn't move pointer at all so the loop would continue forever or until field->stringlist.strings filled whole memory. I'm not sure if it's fault of invalid ID3 tags but the library should certainly recover from it.

Because the last byte is always string terminator I fixed it with horrible hack I attached. I have no idea if it's correct but it avoided the infinite loop so far.

I'd love to privately send you test C source and test file with ID3 tags if you're interested.

I'm sorry for my dirty half-analysis. I already gave up on MPD which was the only reason why I was debugging this problem.