generic-library/ffmpeg
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

avcodec/svq1dec: zero terminate embedded message before printing

Browse Source 
Fixes out of array access
Fixes: asan_stack-oob_49b1e5_10_009.mov
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit e91ba2efa9)

Conflicts:

	libavcodec/svq1dec.c
This commit is contained in:
Michael Niedermayer
2014-10-30 18:16:25 +01:00
parent 961bbb98cf
commit 6c5a57db94
1 changed files with 4 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
libavcodec/svq1dec.c
View File

@@ -500,7 +500,7 @@ static int svq1_decode_delta_block(AVCodecContext *avctx, DSPContext *dsp,
return result; return result;
} }
static void svq1_parse_string(GetBitContext *bitbuf, uint8_t *out) static void svq1_parse_string(GetBitContext *bitbuf, uint8_t out[257])
{ {
uint8_t seed; uint8_t seed;
int i; int i;
@@ -512,6 +512,7 @@ static void svq1_parse_string(GetBitContext *bitbuf, uint8_t *out)
out[i] = get_bits(bitbuf, 8) ^ seed; out[i] = get_bits(bitbuf, 8) ^ seed;
seed = string_table[out[i] ^ seed]; seed = string_table[out[i] ^ seed];
} }
out[i] = 0;
} }
static int svq1_decode_frame_header(AVCodecContext *avctx, AVFrame *frame) static int svq1_decode_frame_header(AVCodecContext *avctx, AVFrame *frame)
@@ -554,12 +555,12 @@ static int svq1_decode_frame_header(AVCodecContext *avctx, AVFrame *frame)
} }
if ((s->frame_code ^ 0x10) >= 0x50) { if ((s->frame_code ^ 0x10) >= 0x50) {
uint8_t msg[256]; uint8_t msg[257];
svq1_parse_string(bitbuf, msg); svq1_parse_string(bitbuf, msg);
av_log(avctx, AV_LOG_INFO, av_log(avctx, AV_LOG_INFO,
"embedded message: \"%s\"\n", (char *)msg); "embedded message: \"%s\"\n", ((char *)msg) + 1);
} }
skip_bits(bitbuf, 2); skip_bits(bitbuf, 2);