Lifted from Debian: https://sources.debian.org/patches/libid3tag/0.15.1b-14/10_utf16.dpatch/ Also fixes: CVE-2008-2109 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=480187#12 CVE-2017-11551 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=870333#10 Handle bogus UTF16 sequences that have a length that is not an even number of 8 bit characters. --- libid3tag-0.15.1b/utf16.c 2006-01-13 15:26:29.000000000 +0100 +++ libid3tag-0.15.1b/utf16.c 2006-01-13 15:27:19.000000000 +0100 @@ -282,5 +282,18 @@ free(utf16); + if (end == *ptr && length % 2 != 0) + { + /* We were called with a bogus length. It should always + * be an even number. We can deal with this in a few ways: + * - Always give an error. + * - Try and parse as much as we can and + * - return an error if we're called again when we + * already tried to parse everything we can. + * - tell that we parsed it, which is what we do here. + */ + (*ptr)++; + } + return ucs4; }