Commit e91ba2ef authored by Michael Niedermayer's avatar Michael Niedermayer

avcodec/svq1dec: zero terminate embedded message before printing

Fixes out of array access
Fixes: asan_stack-oob_49b1e5_10_009.mov
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: 's avatarMichael Niedermayer <michaelni@gmx.at>
parent 10e32618
...@@ -499,7 +499,7 @@ static int svq1_decode_delta_block(AVCodecContext *avctx, HpelDSPContext *hdsp, ...@@ -499,7 +499,7 @@ static int svq1_decode_delta_block(AVCodecContext *avctx, HpelDSPContext *hdsp,
return result; return result;
} }
static void svq1_parse_string(GetBitContext *bitbuf, uint8_t *out) static void svq1_parse_string(GetBitContext *bitbuf, uint8_t out[257])
{ {
uint8_t seed; uint8_t seed;
int i; int i;
...@@ -511,6 +511,7 @@ static void svq1_parse_string(GetBitContext *bitbuf, uint8_t *out) ...@@ -511,6 +511,7 @@ static void svq1_parse_string(GetBitContext *bitbuf, uint8_t *out)
out[i] = get_bits(bitbuf, 8) ^ seed; out[i] = get_bits(bitbuf, 8) ^ seed;
seed = string_table[out[i] ^ seed]; seed = string_table[out[i] ^ seed];
} }
out[i] = 0;
} }
static int svq1_decode_frame_header(AVCodecContext *avctx, AVFrame *frame) static int svq1_decode_frame_header(AVCodecContext *avctx, AVFrame *frame)
...@@ -553,12 +554,12 @@ static int svq1_decode_frame_header(AVCodecContext *avctx, AVFrame *frame) ...@@ -553,12 +554,12 @@ static int svq1_decode_frame_header(AVCodecContext *avctx, AVFrame *frame)
} }
if ((s->frame_code ^ 0x10) >= 0x50) { if ((s->frame_code ^ 0x10) >= 0x50) {
uint8_t msg[256]; uint8_t msg[257];
svq1_parse_string(bitbuf, msg); svq1_parse_string(bitbuf, msg);
av_log(avctx, AV_LOG_INFO, av_log(avctx, AV_LOG_INFO,
"embedded message:\n%s\n", (char *)msg); "embedded message:\n%s\n", ((char *)msg) + 1);
} }
skip_bits(bitbuf, 2); skip_bits(bitbuf, 2);
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment