Commit 46191a2d authored by Anton Khirnov's avatar Anton Khirnov

mov: fix a possible invalid read in mov_read_mac_string()

When the input string is too large, so the second condition in if ()
fails, the code will erroneously execute the else branch, indexing the
mac_to_unicode table with a negative index.

CC: libav-stable@libav.org
Bug-Id: 1000
Found-By: Kamil Frankowicz
parent cfa4eb4f
...@@ -161,7 +161,11 @@ static int mov_read_mac_string(MOVContext *c, AVIOContext *pb, int len, ...@@ -161,7 +161,11 @@ static int mov_read_mac_string(MOVContext *c, AVIOContext *pb, int len,
for (i = 0; i < len; i++) { for (i = 0; i < len; i++) {
uint8_t t, c = avio_r8(pb); uint8_t t, c = avio_r8(pb);
if (c < 0x80 && p < end)
if (p >= end)
continue;
if (c < 0x80)
*p++ = c; *p++ = c;
else else
PUT_UTF8(mac_to_unicode[c-0x80], t, if (p < end) *p++ = t;); PUT_UTF8(mac_to_unicode[c-0x80], t, if (p < end) *p++ = t;);
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment