The line of code:
frame->size = btoi(bytes, 4, offset += ID3_FRAME_ID);
Takes the value found inside the frame without looking whether or not the data that is expected is found, this can be used to cause a read overrun as:
memcpy(frame->data, bytes + (offset += ID3_FRAME_FLAGS), frame->size);
Reads beyond the data
In addition, since size is an int a value that is negative can be returned, causing the allocation '0' in the malloc:
frame->data = (char*) malloc(frame->size * sizeof(char));
The line of code:
frame->size = btoi(bytes, 4, offset += ID3_FRAME_ID);
Takes the value found inside the frame without looking whether or not the data that is expected is found, this can be used to cause a read overrun as:
memcpy(frame->data, bytes + (offset += ID3_FRAME_FLAGS), frame->size);
Reads beyond the data
In addition, since size is an
int
a value that is negative can be returned, causing the allocation '0' in the malloc:frame->data = (char*) malloc(frame->size * sizeof(char));
And a memcpy into a NULL pointer