diff options
| author | Michael Niedermayer <michaelni@gmx.at> | 2014-10-30 18:16:25 +0100 |
|---|---|---|
| committer | Michael Niedermayer <michaelni@gmx.at> | 2014-10-30 18:23:09 +0100 |
| commit | e91ba2efa949470e9157b652535d207a101f91e0 (patch) | |
| tree | 2590566d075852cf1285363f3449f9f2eab72314 | |
| parent | 10e32618acce9c3fc64c061eb7907e8a8d2749ae (diff) | |
| download | ffmpeg-e91ba2efa949470e9157b652535d207a101f91e0.tar.gz | |
avcodec/svq1dec: zero terminate embedded message before printing
Fixes out of array access
Fixes: asan_stack-oob_49b1e5_10_009.mov
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
| -rw-r--r-- | libavcodec/svq1dec.c | 7 |
1 files changed, 4 insertions, 3 deletions
diff --git a/libavcodec/svq1dec.c b/libavcodec/svq1dec.c index 121ebc43e9..052b61839e 100644 --- a/libavcodec/svq1dec.c +++ b/libavcodec/svq1dec.c @@ -499,7 +499,7 @@ static int svq1_decode_delta_block(AVCodecContext *avctx, HpelDSPContext *hdsp, return result; } -static void svq1_parse_string(GetBitContext *bitbuf, uint8_t *out) +static void svq1_parse_string(GetBitContext *bitbuf, uint8_t out[257]) { uint8_t seed; int i; @@ -511,6 +511,7 @@ static void svq1_parse_string(GetBitContext *bitbuf, uint8_t *out) out[i] = get_bits(bitbuf, 8) ^ seed; seed = string_table[out[i] ^ seed]; } + out[i] = 0; } static int svq1_decode_frame_header(AVCodecContext *avctx, AVFrame *frame) @@ -553,12 +554,12 @@ static int svq1_decode_frame_header(AVCodecContext *avctx, AVFrame *frame) } if ((s->frame_code ^ 0x10) >= 0x50) { - uint8_t msg[256]; + uint8_t msg[257]; svq1_parse_string(bitbuf, msg); av_log(avctx, AV_LOG_INFO, - "embedded message:\n%s\n", (char *)msg); + "embedded message:\n%s\n", ((char *)msg) + 1); } skip_bits(bitbuf, 2); |