diff options
| author | Alex Converse <alex.converse@gmail.com> | 2011-10-13 14:47:06 -0700 |
|---|---|---|
| committer | Michael Niedermayer <michaelni@gmx.at> | 2011-11-04 01:11:18 +0100 |
| commit | 5c18bcfd9cb6b4bbb40d487b52226ed5cf79320e (patch) | |
| tree | bbf635763f41e67fbbef3adff7d0795491b690b1 | |
| parent | 62cf52c8602efe8cf8c4713a8f44d5f76a908bb8 (diff) | |
| download | ffmpeg-5c18bcfd9cb6b4bbb40d487b52226ed5cf79320e.tar.gz | |
mov: Prevent illegal writes when chapter titles are very short.
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
| -rw-r--r-- | libavformat/mov.c | 23 |
1 files changed, 15 insertions, 8 deletions
diff --git a/libavformat/mov.c b/libavformat/mov.c index cdba33dcb0..553abc246a 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -2402,14 +2402,21 @@ static void mov_read_chapters(AVFormatContext *s) // The samples could theoretically be in any encoding if there's an encd // atom following, but in practice are only utf-8 or utf-16, distinguished // instead by the presence of a BOM - ch = avio_rb16(sc->pb); - if (ch == 0xfeff) - avio_get_str16be(sc->pb, len, title, title_len); - else if (ch == 0xfffe) - avio_get_str16le(sc->pb, len, title, title_len); - else { - AV_WB16(title, ch); - get_strz(sc->pb, title + 2, len - 1); + if (!len) { + title[0] = 0; + } else { + ch = avio_rb16(sc->pb); + if (ch == 0xfeff) + avio_get_str16be(sc->pb, len, title, title_len); + else if (ch == 0xfffe) + avio_get_str16le(sc->pb, len, title, title_len); + else { + AV_WB16(title, ch); + if (len == 1 || len == 2) + title[len] = '0'; + else + get_strz(sc->pb, title + 2, len - 1); + } } ff_new_chapter(s, i, st->time_base, sample->timestamp, end, title); |