[FFmpeg-cvslog] avcodec/svq1dec: zero terminate embedded message before printing
Michael Niedermayer
git at videolan.org
Sun Nov 2 11:32:53 CET 2014
ffmpeg | branch: release/1.2 | Michael Niedermayer <michaelni at gmx.at> | Thu Oct 30 18:16:25 2014 +0100| [96dac432f790a6e73d8af10ba84cdbd2f38005b2] | committer: Michael Niedermayer
avcodec/svq1dec: zero terminate embedded message before printing
Fixes out of array access
Fixes: asan_stack-oob_49b1e5_10_009.mov
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni at gmx.at>
(cherry picked from commit e91ba2efa949470e9157b652535d207a101f91e0)
Conflicts:
libavcodec/svq1dec.c
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=96dac432f790a6e73d8af10ba84cdbd2f38005b2
---
libavcodec/svq1dec.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/libavcodec/svq1dec.c b/libavcodec/svq1dec.c
index 5b9a620..a5d35f9 100644
--- a/libavcodec/svq1dec.c
+++ b/libavcodec/svq1dec.c
@@ -497,7 +497,7 @@ static int svq1_decode_delta_block(AVCodecContext *avctx, DSPContext *dsp,
return result;
}
-static void svq1_parse_string(GetBitContext *bitbuf, uint8_t *out)
+static void svq1_parse_string(GetBitContext *bitbuf, uint8_t out[257])
{
uint8_t seed;
int i;
@@ -509,6 +509,7 @@ static void svq1_parse_string(GetBitContext *bitbuf, uint8_t *out)
out[i] = get_bits(bitbuf, 8) ^ seed;
seed = string_table[out[i] ^ seed];
}
+ out[i] = 0;
}
static int svq1_decode_frame_header(AVCodecContext *avctx, AVFrame *frame)
@@ -551,12 +552,12 @@ static int svq1_decode_frame_header(AVCodecContext *avctx, AVFrame *frame)
}
if ((s->frame_code ^ 0x10) >= 0x50) {
- uint8_t msg[256];
+ uint8_t msg[257];
svq1_parse_string(bitbuf, msg);
av_log(avctx, AV_LOG_INFO,
- "embedded message: \"%s\"\n", (char *)msg);
+ "embedded message: \"%s\"\n", ((char *)msg) + 1);
}
skip_bits(bitbuf, 2);
More information about the ffmpeg-cvslog
mailing list