From patchwork Mon Nov 14 13:56:04 2016
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Carl Eugen Hoyos <cehoyos@ag.or.at>
X-Patchwork-Id: 1421
Delivered-To: ffmpegpatchwork@gmail.com
Received: by 10.103.90.1 with SMTP id o1csp1049944vsb;
	Mon, 14 Nov 2016 05:56:15 -0800 (PST)
X-Received: by 10.28.153.201 with SMTP id b192mr11188932wme.61.1479131775076;
	Mon, 14 Nov 2016 05:56:15 -0800 (PST)
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100])
	by mx.google.com with ESMTP id e2si23791690wjz.53.2016.11.14.05.56.14;
	Mon, 14 Nov 2016 05:56:15 -0800 (PST)
Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
	designates 79.124.17.100 as permitted sender)
	client-ip=79.124.17.100;
Authentication-Results: mx.google.com;
	spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
	designates 79.124.17.100 as permitted sender)
	smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org
Received: from [127.0.1.1] (localhost [127.0.0.1])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 34FCB689FFF;
	Mon, 14 Nov 2016 15:56:13 +0200 (EET)
X-Original-To: ffmpeg-devel@ffmpeg.org
Delivered-To: ffmpeg-devel@ffmpeg.org
Received: from vie01a-dmta-pe02-2.mx.upcmail.net
	(vie01a-dmta-pe02-2.mx.upcmail.net [62.179.121.158])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 9743C689FE5
	for <ffmpeg-devel@ffmpeg.org>; Mon, 14 Nov 2016 15:56:06 +0200 (EET)
Received: from [172.31.216.44] (helo=vie01a-pemc-psmtp-pe02)
	by vie01a-dmta-pe02.mx.upcmail.net with esmtp (Exim 4.87)
	(envelope-from <cehoyos@ag.or.at>) id 1c6Hjx-0005de-Mt
	for ffmpeg-devel@ffmpeg.org; Mon, 14 Nov 2016 14:56:05 +0100
Received: from [192.168.1.3] ([80.110.110.43])
	by vie01a-pemc-psmtp-pe02 with SMTP @ mailcloud.upcmail.net
	id 7pw41u01g0wDQrU01pw5WM; Mon, 14 Nov 2016 14:56:05 +0100
X-SourceIP: 80.110.110.43
From: Carl Eugen Hoyos <cehoyos@ag.or.at>
To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Date: Mon, 14 Nov 2016 14:56:04 +0100
User-Agent: KMail/1.9.10
MIME-Version: 1.0
Message-Id: <201611141456.04304.cehoyos@ag.or.at>
Subject: [FFmpeg-devel] [PATCH]lavf/mov: Fix an out-of-bound-read in
	mov_read_mac_string().
X-BeenThere: ffmpeg-devel@ffmpeg.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
List-Unsubscribe: <http://ffmpeg.org/mailman/options/ffmpeg-devel>,
	<mailto:ffmpeg-devel-request@ffmpeg.org?subject=unsubscribe>
List-Archive: <http://ffmpeg.org/pipermail/ffmpeg-devel/>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
List-Subscribe: <http://ffmpeg.org/mailman/listinfo/ffmpeg-devel>,
	<mailto:ffmpeg-devel-request@ffmpeg.org?subject=subscribe>
Reply-To: FFmpeg development discussions and patches
	<ffmpeg-devel@ffmpeg.org>
Errors-To: ffmpeg-devel-bounces@ffmpeg.org
Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>

Hi!

I believe attached patch fixes an out-of-bound-read in mov_read_mac_string() 
if p<end is false and if the read character is < 0x80, see bug 989.

Please comment, Carl Eugen
From 6c69f755e1c4f22d1efb36777631c98a4d20ffef Mon Sep 17 00:00:00 2001
From: Carl Eugen Hoyos <cehoyos@ag.or.at>
Date: Mon, 14 Nov 2016 14:52:58 +0100
Subject: [PATCH] lavf/mov: Fix an out-of-bound-read in mov_read_mac_string().
---
 libavformat/mov.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavformat/mov.c b/libavformat/mov.c
index 8d6cc12..21556be 100644
--- a/libavformat/mov.c
+++ b/libavformat/mov.c
@@ -160,7 +160,7 @@ static int mov_read_mac_string(MOVContext *c, AVIOContext *pb, int len,
         uint8_t t, c = avio_r8(pb);
         if (c < 0x80 && p < end)
             *p++ = c;
-        else if (p < end)
+        else if (c >= 0x80 && p < end)
             PUT_UTF8(mac_to_unicode[c-0x80], t, if (p < end) *p++ = t;);
     }
     *p = 0;