From cd96a76985822bcb9a28e9a4a746a9559d4deaa4 Mon Sep 17 00:00:00 2001
From: Tom Finegan <tomfinegan@google.com>
Date: Mon, 17 Aug 2015 12:11:15 -0700
Subject: [PATCH] mkvparser: Avoid rollover/truncation in UnserializeString().

Change-Id: I355d00b59ec1b7645ae5b4010e292215b5da3a17
---
 mkvparser.cpp | 17 ++++++++---------
 1 file changed, 8 insertions(+), 9 deletions(-)

diff --git a/mkvparser.cpp b/mkvparser.cpp
index 131a0f9..2894490 100644
--- a/mkvparser.cpp
+++ b/mkvparser.cpp
@@ -257,19 +257,19 @@ long mkvparser::UnserializeInt(IMkvReader* pReader, long long pos,
 }
 
 long mkvparser::UnserializeString(IMkvReader* pReader, long long pos,
-                                  long long size_, char*& str) {
+                                  long long size, char*& str) {
   delete[] str;
   str = NULL;
 
-  if (size_ >= LONG_MAX)  // we need (size+1) chars
+  if (size >= LONG_MAX || size < 0)
     return E_FILE_FORMAT_INVALID;
 
-  const long size = static_cast<long>(size_);
-
-  str = new (std::nothrow) char[size + 1];
+  // +1 for '\0' terminator
+  const long required_size = static_cast<long>(size) + 1;
 
+  str = new (std::nothrow) char[required_size];
   if (str == NULL)
-    return -1;
+    return E_FILE_FORMAT_INVALID;
 
   unsigned char* const buf = reinterpret_cast<unsigned char*>(str);
 
@@ -282,9 +282,8 @@ long mkvparser::UnserializeString(IMkvReader* pReader, long long pos,
     return status;
   }
 
-  str[size] = '\0';
-
-  return 0;  // success
+  str[required_size - 1] = '\0';
+  return 0;
 }
 
 long mkvparser::ParseElementHeader(IMkvReader* pReader, long long& pos,