From a094ce7dd2e0498b37683b62a582eb8beb54548e Mon Sep 17 00:00:00 2001
From: Scott Wheeler <scott@directededge.com>
Date: Mon, 18 May 2015 17:11:06 +0200
Subject: [PATCH] Don't underflow if there are no embedded frames

Closes #513
---
 taglib/mpeg/id3v2/frames/chapterframe.cpp |  5 ++++
 tests/test_id3v2.cpp                      | 30 ++++++++++++++---------
 2 files changed, 24 insertions(+), 11 deletions(-)

diff --git a/taglib/mpeg/id3v2/frames/chapterframe.cpp b/taglib/mpeg/id3v2/frames/chapterframe.cpp
index ea02f529..99572888 100644
--- a/taglib/mpeg/id3v2/frames/chapterframe.cpp
+++ b/taglib/mpeg/id3v2/frames/chapterframe.cpp
@@ -239,6 +239,11 @@ void ChapterFrame::parseFields(const ByteVector &data)
   pos += 4;
   size -= pos;
 
+  // Embedded frames are optional
+
+  if(size < header()->size())
+    return;
+
   while((uint)embPos < size - header()->size()) {
     Frame *frame = FrameFactory::instance()->createFrame(data.mid(pos + embPos), d->tagHeader);
 
diff --git a/tests/test_id3v2.cpp b/tests/test_id3v2.cpp
index 242c6da4..3a189393 100644
--- a/tests/test_id3v2.cpp
+++ b/tests/test_id3v2.cpp
@@ -907,17 +907,25 @@ public:
                  "\x00"                     // TIT2 frame text encoding
                  "CH1", 14);                // Chapter title
 
-    ID3v2::ChapterFrame f(&header, chapterData + embeddedFrameData);
-
-    CPPUNIT_ASSERT_EQUAL(ByteVector("\x43\x00", 2),
-                         f.elementID());
-    CPPUNIT_ASSERT((uint)0x03 == f.startTime());
-    CPPUNIT_ASSERT((uint)0x05 == f.endTime());
-    CPPUNIT_ASSERT((uint)0x02 == f.startOffset());
-    CPPUNIT_ASSERT((uint)0x03 == f.endOffset());
-    CPPUNIT_ASSERT((uint)0x01 == f.embeddedFrameList().size());
-    CPPUNIT_ASSERT(f.embeddedFrameList("TIT2").size() == 1);
-    CPPUNIT_ASSERT(f.embeddedFrameList("TIT2")[0]->toString() == "CH1");
+    ID3v2::ChapterFrame f1(&header, chapterData);
+
+    CPPUNIT_ASSERT_EQUAL(ByteVector("\x43\x00", 2), f1.elementID());
+    CPPUNIT_ASSERT((uint)0x03 == f1.startTime());
+    CPPUNIT_ASSERT((uint)0x05 == f1.endTime());
+    CPPUNIT_ASSERT((uint)0x02 == f1.startOffset());
+    CPPUNIT_ASSERT((uint)0x03 == f1.endOffset());
+    CPPUNIT_ASSERT((uint)0x00 == f1.embeddedFrameList().size());
+
+    ID3v2::ChapterFrame f2(&header, chapterData + embeddedFrameData);
+
+    CPPUNIT_ASSERT_EQUAL(ByteVector("\x43\x00", 2), f2.elementID());
+    CPPUNIT_ASSERT((uint)0x03 == f2.startTime());
+    CPPUNIT_ASSERT((uint)0x05 == f2.endTime());
+    CPPUNIT_ASSERT((uint)0x02 == f2.startOffset());
+    CPPUNIT_ASSERT((uint)0x03 == f2.endOffset());
+    CPPUNIT_ASSERT((uint)0x01 == f2.embeddedFrameList().size());
+    CPPUNIT_ASSERT(f2.embeddedFrameList("TIT2").size() == 1);
+    CPPUNIT_ASSERT(f2.embeddedFrameList("TIT2")[0]->toString() == "CH1");
   }
 
   void testRenderChapterFrame()
-- 
2.40.0