Module: libav Branch: master Commit: 46191a2da16f751e53d93646ae1388d421d12bee
Author: Anton Khirnov <[email protected]> Committer: Anton Khirnov <[email protected]> Date: Sat Dec 17 14:17:20 2016 +0100 mov: fix a possible invalid read in mov_read_mac_string() When the input string is too large, so the second condition in if () fails, the code will erroneously execute the else branch, indexing the mac_to_unicode table with a negative index. CC: [email protected] Bug-Id: 1000 Found-By: Kamil Frankowicz --- libavformat/mov.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index 7fe639d..ed10a15 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -161,7 +161,11 @@ static int mov_read_mac_string(MOVContext *c, AVIOContext *pb, int len, for (i = 0; i < len; i++) { uint8_t t, c = avio_r8(pb); - if (c < 0x80 && p < end) + + if (p >= end) + continue; + + if (c < 0x80) *p++ = c; else PUT_UTF8(mac_to_unicode[c-0x80], t, if (p < end) *p++ = t;); _______________________________________________ libav-commits mailing list [email protected] https://lists.libav.org/mailman/listinfo/libav-commits
