Module: libav Branch: release/12 Commit: fcf061fa096b8661668a332d4a1c73a9abd14b8f
Author: Anton Khirnov <[email protected]> Committer: Anton Khirnov <[email protected]> Date: Sat Dec 17 14:17:20 2016 +0100 mov: fix a possible invalid read in mov_read_mac_string() When the input string is too large, so the second condition in if () fails, the code will erroneously execute the else branch, indexing the mac_to_unicode table with a negative index. CC: [email protected] Bug-Id: 1000 Found-By: Kamil Frankowicz (cherry picked from commit 46191a2da16f751e53d93646ae1388d421d12bee) Signed-off-by: Anton Khirnov <[email protected]> --- libavformat/mov.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index 969df27..af748cb 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -159,7 +159,11 @@ static int mov_read_mac_string(MOVContext *c, AVIOContext *pb, int len, for (i = 0; i < len; i++) { uint8_t t, c = avio_r8(pb); - if (c < 0x80 && p < end) + + if (p >= end) + continue; + + if (c < 0x80) *p++ = c; else PUT_UTF8(mac_to_unicode[c-0x80], t, if (p < end) *p++ = t;); _______________________________________________ libav-commits mailing list [email protected] https://lists.libav.org/mailman/listinfo/libav-commits
