From 03289958938e91dc9bc398fdf1489677c6030063 Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <michaelni@gmx.at>
Date: Fri, 4 Jul 2008 22:04:41 +0000
Subject: All mp3 parsers are buggy fix 2 of n (out of array write, i suspect
 not exploitable)

Originally committed as revision 14070 to svn://svn.ffmpeg.org/ffmpeg/trunk
---
 libavformat/mp3.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'libavformat/mp3.c')

diff --git a/libavformat/mp3.c b/libavformat/mp3.c
index 6d9689a649..e987904f6a 100644
--- a/libavformat/mp3.c
+++ b/libavformat/mp3.c
@@ -205,7 +205,7 @@ static void id3v2_read_ttag(AVFormatContext *s, int taglen, char *dst, int dstle
         break;
 
     case 3:  /* UTF-8 */
-        len = FFMIN(taglen, dstlen);
+        len = FFMIN(taglen, dstlen-1);
         get_buffer(s->pb, dst, len);
         dst[len] = 0;
         break;
-- 
cgit v1.2.3