From aa1a6638daa075abc8a5a42caf8a0ae45c5909d9 Mon Sep 17 00:00:00 2001 From: Stefan Pöschel Date: Tue, 14 Apr 2015 21:57:30 +0200 Subject: Fix out-of-bounds read at higher PAD length If the MOT payload was smaller than the available space within the PAD of the first data group (e.g. MOT header), nonetheless the whole available space was filled up. Thereby an out-of-bounds read occured, outputting garbage to the unused remaining PAD space. --- src/mot-encoder.cpp | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/src/mot-encoder.cpp b/src/mot-encoder.cpp index 0d8d8d6..34adba5 100644 --- a/src/mot-encoder.cpp +++ b/src/mot-encoder.cpp @@ -1085,9 +1085,11 @@ void writeMotPAD(int output_fd, } else { firstseg = 0; - curseglen = MIN(non_ci_seglen,mscdgsize-i); + curseglen = non_ci_seglen; } + curseglen = MIN(curseglen, mscdgsize - i); + if (firstseg == 1) { // FF-PAD Byte L (CI=1) pad[padlen-1] = 0x02; -- cgit v1.2.3