lavf/mov.c: Avoid OOB in mov_read_udta_string()

Core of patch is from paul@paulmehta.com Reference https://crbug.com/643952 (udta_string portion) Signed-off-by: Matt Wolenetz <wolenetz@chromium.org> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

lavf/mov.c: Avoid OOB in mov_read_udta_string()
Core of patch is from paul@paulmehta.com Reference https://crbug.com/643952 (udta_string portion) Signed-off-by: Matt Wolenetz <wolenetz@chromium.org> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
9bbdf5d9 · Matt Wolenetz · Michael Niedermayer · ce6e7a2d · 9bbdf5d9
Commit 9bbdf5d9 authored 8 years ago by Matt Wolenetz Committed by Michael Niedermayer 8 years ago
Hide whitespace changes
Inline Side-by-side

Showing

with 2 additions and 2 deletions
+2 -2
--- a/libavformat/mov.c
+++ b/libavformat/mov.c
@@ -407,11 +407,11 @@ retry:
                return ret;
            } else if (!key && c->found_hdlr_mdta && c->meta_keys) {
                uint32_t index = AV_RB32(&atom.type);
-                if (index < c->meta_keys_count) {
+                if (index < c->meta_keys_count && index > 0) {
                    key = c->meta_keys[index];
                } else {
                    av_log(c->fc, AV_LOG_WARNING,
-                           "The index of 'data' is out of range: %d >= %d.\n",
+                           "The index of 'data' is out of range: %d < 1 or >= %d.\n",
                           index, c->meta_keys_count);
                }
            }