Browse code
avformat/mov: Check for string truncation in mov_open_dref()
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 8003816e1619e77d8de051883264aa090e0d78cc)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Michael Niedermayer authored on 2015/03/15 05:24:54Showing 1 changed files
| ... | ... |
@@ -2366,7 +2366,7 @@ static int mov_open_dref(AVIOContext **pb, const char *src, MOVDref *ref, |
| 2366 | 2366 |
/* try relative path, we do not try the absolute because it can leak information about our |
| 2367 | 2367 |
system to an attacker */ |
| 2368 | 2368 |
if (ref->nlvl_to > 0 && ref->nlvl_from > 0) {
|
| 2369 |
- char filename[1024]; |
|
| 2369 |
+ char filename[1025]; |
|
| 2370 | 2370 |
const char *src_path; |
| 2371 | 2371 |
int i, l; |
| 2372 | 2372 |
|
| ... | ... |
@@ -2396,6 +2396,8 @@ static int mov_open_dref(AVIOContext **pb, const char *src, MOVDref *ref, |
| 2396 | 2396 |
|
| 2397 | 2397 |
av_strlcat(filename, ref->path + l + 1, sizeof(filename)); |
| 2398 | 2398 |
|
| 2399 |
+ if (strlen(filename) + 1 == sizeof(filename)) |
|
| 2400 |
+ return AVERROR(ENOENT); |
|
| 2399 | 2401 |
if (!avio_open2(pb, filename, AVIO_FLAG_READ, int_cb, NULL)) |
| 2400 | 2402 |
return 0; |
| 2401 | 2403 |
} |