From 8fb22c3d47ccb87d0ee235226a700d2b3ca97afb Mon Sep 17 00:00:00 2001
From: Alex Converse <alex.converse@gmail.com>
Date: Thu, 13 Oct 2011 14:47:06 -0700
Subject: mov: Prevent illegal writes when chapter titles are very short.

---
 libavformat/mov.c | 23 +++++++++++++++--------
 1 file changed, 15 insertions(+), 8 deletions(-)

(limited to 'libavformat')

diff --git a/libavformat/mov.c b/libavformat/mov.c
index 0e2ad1fe15..06057a29e9 100644
--- a/libavformat/mov.c
+++ b/libavformat/mov.c
@@ -2369,14 +2369,21 @@ static void mov_read_chapters(AVFormatContext *s)
         // The samples could theoretically be in any encoding if there's an encd
         // atom following, but in practice are only utf-8 or utf-16, distinguished
         // instead by the presence of a BOM
-        ch = avio_rb16(sc->pb);
-        if (ch == 0xfeff)
-            avio_get_str16be(sc->pb, len, title, title_len);
-        else if (ch == 0xfffe)
-            avio_get_str16le(sc->pb, len, title, title_len);
-        else {
-            AV_WB16(title, ch);
-            avio_get_str(sc->pb, len - 2, title + 2, title_len - 2);
+        if (!len) {
+            title[0] = 0;
+        } else {
+            ch = avio_rb16(sc->pb);
+            if (ch == 0xfeff)
+                avio_get_str16be(sc->pb, len, title, title_len);
+            else if (ch == 0xfffe)
+                avio_get_str16le(sc->pb, len, title, title_len);
+            else {
+                AV_WB16(title, ch);
+                if (len == 1 || len == 2)
+                    title[len] = '0';
+                else
+                    avio_get_str(sc->pb, len - 2, title + 2, title_len - 2);
+            }
         }
 
         ff_new_chapter(s, i, st->time_base, sample->timestamp, end, title);
-- 
cgit v1.2.3