ffmpeg | branch: release/1.1 | Michael Niedermayer <michae...@gmx.at> | Thu Oct
30 18:16:25 2014 +0100| [6c5a57db94b50f091cd56b09cf537b68ebfe50f4] | committer:
Michael Niedermayer
avcodec/svq1dec: zero terminate embedded message before printing
Fixes out of array access
Fixes: asan_stack-oob_49b1e5_10_009.mov
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michae...@gmx.at>
(cherry picked from commit e91ba2efa949470e9157b652535d207a101f91e0)
Conflicts:
libavcodec/svq1dec.c
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=6c5a57db94b50f091cd56b09cf537b68ebfe50f4
---
libavcodec/svq1dec.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/libavcodec/svq1dec.c b/libavcodec/svq1dec.c
index d5f7581..473bb80 100644
--- a/libavcodec/svq1dec.c
+++ b/libavcodec/svq1dec.c
@@ -500,7 +500,7 @@ static int svq1_decode_delta_block(AVCodecContext *avctx,
DSPContext *dsp,
return result;
}
-static void svq1_parse_string(GetBitContext *bitbuf, uint8_t *out)
+static void svq1_parse_string(GetBitContext *bitbuf, uint8_t out[257])
{
uint8_t seed;
int i;
@@ -512,6 +512,7 @@ static void svq1_parse_string(GetBitContext *bitbuf,
uint8_t *out)
out[i] = get_bits(bitbuf, 8) ^ seed;
seed = string_table[out[i] ^ seed];
}
+ out[i] = 0;
}
static int svq1_decode_frame_header(AVCodecContext *avctx, AVFrame *frame)
@@ -554,12 +555,12 @@ static int svq1_decode_frame_header(AVCodecContext
*avctx, AVFrame *frame)
}
if ((s->frame_code ^ 0x10) >= 0x50) {
- uint8_t msg[256];
+ uint8_t msg[257];
svq1_parse_string(bitbuf, msg);
av_log(avctx, AV_LOG_INFO,
- "embedded message: \"%s\"\n", (char *)msg);
+ "embedded message: \"%s\"\n", ((char *)msg) + 1);
}
skip_bits(bitbuf, 2);
_______________________________________________
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
