From: Michael Niedermayer <[email protected]>
Sample-Id: msan_uninit-mem_7f3f90a8606a_3018_Sequence_1-Apple_ProRes_422_LT.mov
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Vittorio Giovara <[email protected]>
---
libavformat/mov.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/libavformat/mov.c b/libavformat/mov.c
index 7f288cc..e433f87 100644
--- a/libavformat/mov.c
+++ b/libavformat/mov.c
@@ -348,7 +348,9 @@ static int mov_read_udta_string(MOVContext *c, AVIOContext
*pb, MOVAtom atom)
if (data_type == 3 || (data_type == 0 && (langcode < 0x400 || langcode
== 0x7fff))) { // MAC Encoded
mov_read_mac_string(c, pb, str_size, str, str_size_alloc);
} else {
- avio_read(pb, str, str_size);
+ int ret = avio_read(pb, str, str_size);
+ if (ret != str_size)
+ return ret < 0 ? ret : AVERROR_INVALIDDATA;
str[str_size] = 0;
}
c->fc->event_flags |= AVFMT_EVENT_FLAG_METADATA_UPDATED;
@@ -477,7 +479,8 @@ static int mov_read_dref(MOVContext *c, AVIOContext *pb,
MOVAtom atom)
dref->path = av_mallocz(len+1);
if (!dref->path)
return AVERROR(ENOMEM);
- avio_read(pb, dref->path, len);
+ if (avio_read(pb, dref->path, len) != len)
+ return pb->error ? pb->error : AVERROR_EOF;
if (len > volume_len && !strncmp(dref->path, dref->volume,
volume_len)) {
len -= volume_len;
memmove(dref->path, dref->path+volume_len, len);
--
1.9.3 (Apple Git-50)
_______________________________________________
libav-devel mailing list
[email protected]
https://lists.libav.org/mailman/listinfo/libav-devel
