aboutsummaryrefslogtreecommitdiffstats
path: root/src
diff options
context:
space:
mode:
authorStefan Pöschel <github@basicmaster.de>2015-04-14 21:57:30 +0200
committerStefan Pöschel <github@basicmaster.de>2015-04-14 21:57:30 +0200
commit3c01958bb1941ef76a840ab93ea8570fed64384d (patch)
tree54dd838dd4082705d0a9203dfd67fbf3709f8346 /src
parentf45080e7914dd8eb7c0e46638894d3c3a9c96efb (diff)
downloadODR-PadEnc-3c01958bb1941ef76a840ab93ea8570fed64384d.tar.gz
ODR-PadEnc-3c01958bb1941ef76a840ab93ea8570fed64384d.tar.bz2
ODR-PadEnc-3c01958bb1941ef76a840ab93ea8570fed64384d.zip
Fix out-of-bounds read at higher PAD length
If the MOT payload was smaller than the available space within the PAD of the first data group (e.g. MOT header), nonetheless the whole available space was filled up. Thereby an out-of-bounds read occured, outputting garbage to the unused remaining PAD space.
Diffstat (limited to 'src')
-rw-r--r--src/mot-encoder.cpp4
1 files changed, 3 insertions, 1 deletions
diff --git a/src/mot-encoder.cpp b/src/mot-encoder.cpp
index 0d8d8d6..34adba5 100644
--- a/src/mot-encoder.cpp
+++ b/src/mot-encoder.cpp
@@ -1085,9 +1085,11 @@ void writeMotPAD(int output_fd,
}
else {
firstseg = 0;
- curseglen = MIN(non_ci_seglen,mscdgsize-i);
+ curseglen = non_ci_seglen;
}
+ curseglen = MIN(curseglen, mscdgsize - i);
+
if (firstseg == 1) {
// FF-PAD Byte L (CI=1)
pad[padlen-1] = 0x02;