mov: fix a possible invalid read in mov_read_mac_string()

When the input string is too large, so the second condition in if () fails, the code will erroneously execute the else branch, indexing the mac_to_unicode table with a negative index. CC: libav-stable@libav.org Bug-Id: 1000 Found-By: Kamil Frankowicz
author: Anton Khirnov <anton@khirnov.net> 2016-12-17 14:17:20 +0100
committer: Anton Khirnov <anton@khirnov.net> 2016-12-19 08:14:59 +0100
commit: 46191a2da16f751e53d93646ae1388d421d12bee (patch)
tree: 6dd4e73f2e0589bc384fcfd9cc1f5a017ea1eb9e /libavformat/mov.c
parent: cfa4eb4fba782f3f37a33be997b27a91a07053c9 (diff)
1 files changed, 5 insertions, 1 deletions
diff --git a/libavformat/mov.c b/libavformat/mov.c
index 7fe639dd5e..ed10a15625 100644
--- a/libavformat/mov.c
+++ b/libavformat/mov.c
@@ -161,7 +161,11 @@ static int mov_read_mac_string(MOVContext *c, AVIOContext *pb, int len,
 
     for (i = 0; i < len; i++) {
         uint8_t t, c = avio_r8(pb);
-        if (c < 0x80 && p < end)
+
+        if (p >= end)
+            continue;
+
+        if (c < 0x80)
             *p++ = c;
         else
             PUT_UTF8(mac_to_unicode[c-0x80], t, if (p < end) *p++ = t;);
author	Anton Khirnov <anton@khirnov.net>	2016-12-17 14:17:20 +0100
committer	Anton Khirnov <anton@khirnov.net>	2016-12-19 08:14:59 +0100
commit	46191a2da16f751e53d93646ae1388d421d12bee (patch)
tree	6dd4e73f2e0589bc384fcfd9cc1f5a017ea1eb9e /libavformat/mov.c
parent	cfa4eb4fba782f3f37a33be997b27a91a07053c9 (diff)