From 1acd029f40de1a0d3ca292cbbe06ea5a173a84ae Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <michaelni@gmx.at>
Date: Sat, 21 Dec 2013 12:52:23 +0100
Subject: avformat/wc3movie: Check strings before printing.

Fixes use of uninitialized memory
Fixes: msan_uninit-mem_7f7812ca062f_2812_SC_32_part.MVE
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
---
 libavformat/wc3movie.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/libavformat/wc3movie.c b/libavformat/wc3movie.c
index 657380a6be..408c050b7c 100644
--- a/libavformat/wc3movie.c
+++ b/libavformat/wc3movie.c
@@ -27,6 +27,7 @@
  *   http://www.pcisys.net/~melanson/codecs/
  */
 
+#include "libavutil/avstring.h"
 #include "libavutil/channel_layout.h"
 #include "libavutil/intreadwrite.h"
 #include "libavutil/dict.h"
@@ -249,10 +250,16 @@ static int wc3_read_packet(AVFormatContext *s,
             else {
                 int i = 0;
                 av_log (s, AV_LOG_DEBUG, "Subtitle time!\n");
+                if (i >= size || av_strnlen(&text[i + 1], size - i - 1) >= size - i - 1)
+                    return AVERROR_INVALIDDATA;
                 av_log (s, AV_LOG_DEBUG, "  inglish: %s\n", &text[i + 1]);
                 i += text[i] + 1;
+                if (i >= size || av_strnlen(&text[i + 1], size - i - 1) >= size - i - 1)
+                    return AVERROR_INVALIDDATA;
                 av_log (s, AV_LOG_DEBUG, "  doytsch: %s\n", &text[i + 1]);
                 i += text[i] + 1;
+                if (i >= size || av_strnlen(&text[i + 1], size - i - 1) >= size - i - 1)
+                    return AVERROR_INVALIDDATA;
                 av_log (s, AV_LOG_DEBUG, "  fronsay: %s\n", &text[i + 1]);
             }
 #endif
-- 
cgit v1.2.3