avcodec/svq1dec: zero terminate embedded message before printing

Fixes out of array access
Fixes: asan_stack-oob_49b1e5_10_009.mov
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

diff --git a/libavcodec/svq1dec.c b/libavcodec/svq1dec.c
index 121ebc4..052b618 100644 (file)
--- a/libavcodec/svq1dec.c
+++ b/libavcodec/svq1dec.c
@@ -499,7 +499,7 @@ static int svq1_decode_delta_block(AVCodecContext *avctx, HpelDSPContext *hdsp,
     return result;
 }
 
     return result;
 }
 

-static void svq1_parse_string(GetBitContext *bitbuf, uint8_t *out)
+static void svq1_parse_string(GetBitContext *bitbuf, uint8_t out[257])

 {
     uint8_t seed;
     int i;
 {
     uint8_t seed;
     int i;


@@ -511,6 +511,7 @@ static void svq1_parse_string(GetBitContext *bitbuf, uint8_t *out)
         out[i] = get_bits(bitbuf, 8) ^ seed;
         seed   = string_table[out[i] ^ seed];
     }
         out[i] = get_bits(bitbuf, 8) ^ seed;
         seed   = string_table[out[i] ^ seed];
     }

+    out[i] = 0;

 }
 
 static int svq1_decode_frame_header(AVCodecContext *avctx, AVFrame *frame)
 }
 
 static int svq1_decode_frame_header(AVCodecContext *avctx, AVFrame *frame)


@@ -553,12 +554,12 @@ static int svq1_decode_frame_header(AVCodecContext *avctx, AVFrame *frame)
         }
 
         if ((s->frame_code ^ 0x10) >= 0x50) {
         }
 
         if ((s->frame_code ^ 0x10) >= 0x50) {

-            uint8_t msg[256];
+            uint8_t msg[257];

 
             svq1_parse_string(bitbuf, msg);
 
             av_log(avctx, AV_LOG_INFO,
 
             svq1_parse_string(bitbuf, msg);
 
             av_log(avctx, AV_LOG_INFO,

-                   "embedded message:\n%s\n", (char *)msg);
+                   "embedded message:\n%s\n", ((char *)msg) + 1);

         }
 
         skip_bits(bitbuf, 2);
         }
 
         skip_bits(bitbuf, 2);