Browse code
avformat/mov: Check for string truncation in mov_open_dref()
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 8003816e1619e77d8de051883264aa090e0d78cc)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Michael Niedermayer authored on 2015/03/15 05:24:54Showing 1 changed files
| ... | ... |
@@ -2600,7 +2600,7 @@ static int mov_open_dref(AVIOContext **pb, const char *src, MOVDref *ref, |
| 2600 | 2600 |
/* try relative path, we do not try the absolute because it can leak information about our |
| 2601 | 2601 |
system to an attacker */ |
| 2602 | 2602 |
if (ref->nlvl_to > 0 && ref->nlvl_from > 0) {
|
| 2603 |
- char filename[1024]; |
|
| 2603 |
+ char filename[1025]; |
|
| 2604 | 2604 |
const char *src_path; |
| 2605 | 2605 |
int i, l; |
| 2606 | 2606 |
|
| ... | ... |
@@ -2630,6 +2630,8 @@ static int mov_open_dref(AVIOContext **pb, const char *src, MOVDref *ref, |
| 2630 | 2630 |
|
| 2631 | 2631 |
av_strlcat(filename, ref->path + l + 1, sizeof(filename)); |
| 2632 | 2632 |
|
| 2633 |
+ if (strlen(filename) + 1 == sizeof(filename)) |
|
| 2634 |
+ return AVERROR(ENOENT); |
|
| 2633 | 2635 |
if (!avio_open2(pb, filename, AVIO_FLAG_READ, int_cb, NULL)) |
| 2634 | 2636 |
return 0; |
| 2635 | 2637 |
} |