From 3c01958bb1941ef76a840ab93ea8570fed64384d Mon Sep 17 00:00:00 2001
From: Stefan Pöschel <github@basicmaster.de>
Date: Tue, 14 Apr 2015 21:57:30 +0200
Subject: Fix out-of-bounds read at higher PAD length

If the MOT payload was smaller than the available space within the PAD of the
first data group (e.g. MOT header), nonetheless the whole available space was
filled up. Thereby an out-of-bounds read occured, outputting garbage to the
unused remaining PAD space.
---
 src/mot-encoder.cpp | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

(limited to 'src')

diff --git a/src/mot-encoder.cpp b/src/mot-encoder.cpp
index 0d8d8d6..34adba5 100644
--- a/src/mot-encoder.cpp
+++ b/src/mot-encoder.cpp
@@ -1085,9 +1085,11 @@ void writeMotPAD(int output_fd,
         }
         else {
             firstseg = 0;
-            curseglen = MIN(non_ci_seglen,mscdgsize-i);
+            curseglen = non_ci_seglen;
         }
 
+        curseglen = MIN(curseglen, mscdgsize - i);
+
         if (firstseg == 1) {
             // FF-PAD Byte L (CI=1)
             pad[padlen-1] = 0x02;
-- 
cgit v1.2.3