mov: Prevent illegal writes when chapter titles are very short.

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
2011-10-13 14:47:06 -07:00 · 2011-10-13 14:47:06 -07:00 · 5c18bcfd9c
commit 5c18bcfd9c
parent 62cf52c860
1 changed files with 15 additions and 8 deletions
--- a/libavformat/mov.c
+++ b/libavformat/mov.c
@ -2402,14 +2402,21 @@ static void mov_read_chapters(AVFormatContext *s)
        // The samples could theoretically be in any encoding if there's an encd
        // atom following, but in practice are only utf-8 or utf-16, distinguished
        // instead by the presence of a BOM
-        ch = avio_rb16(sc->pb);
-        if (ch == 0xfeff)
-            avio_get_str16be(sc->pb, len, title, title_len);
-        else if (ch == 0xfffe)
-            avio_get_str16le(sc->pb, len, title, title_len);
-        else {
-            AV_WB16(title, ch);
-            get_strz(sc->pb, title + 2, len - 1);
+        if (!len) {
+            title[0] = 0;
+        } else {
+            ch = avio_rb16(sc->pb);
+            if (ch == 0xfeff)
+                avio_get_str16be(sc->pb, len, title, title_len);
+            else if (ch == 0xfffe)
+                avio_get_str16le(sc->pb, len, title, title_len);
+            else {
+                AV_WB16(title, ch);
+                if (len == 1 || len == 2)
+                    title[len] = '0';
+                else
+                    get_strz(sc->pb, title + 2, len - 1);
+            }
        }

        ff_new_chapter(s, i, st->time_base, sample->timestamp, end, title);