diff options
author | Stefan Pöschel <github@basicmaster.de> | 2015-04-14 21:57:30 +0200 |
---|---|---|
committer | Stefan Pöschel <github@basicmaster.de> | 2015-04-14 21:57:30 +0200 |
commit | aa1a6638daa075abc8a5a42caf8a0ae45c5909d9 (patch) | |
tree | 775e9b948eaaf656c8546a4c29f61ef46cc22d06 | |
parent | 2cf0f260ec3ed26035840ea5c956aed96e7a5853 (diff) | |
download | fdk-aac-dabplus-aa1a6638daa075abc8a5a42caf8a0ae45c5909d9.tar.gz fdk-aac-dabplus-aa1a6638daa075abc8a5a42caf8a0ae45c5909d9.tar.bz2 fdk-aac-dabplus-aa1a6638daa075abc8a5a42caf8a0ae45c5909d9.zip |
Fix out-of-bounds read at higher PAD length
If the MOT payload was smaller than the available space within the PAD of the
first data group (e.g. MOT header), nonetheless the whole available space was
filled up. Thereby an out-of-bounds read occured, outputting garbage to the
unused remaining PAD space.
-rw-r--r-- | src/mot-encoder.cpp | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/src/mot-encoder.cpp b/src/mot-encoder.cpp index 0d8d8d6..34adba5 100644 --- a/src/mot-encoder.cpp +++ b/src/mot-encoder.cpp @@ -1085,9 +1085,11 @@ void writeMotPAD(int output_fd, } else { firstseg = 0; - curseglen = MIN(non_ci_seglen,mscdgsize-i); + curseglen = non_ci_seglen; } + curseglen = MIN(curseglen, mscdgsize - i); + if (firstseg == 1) { // FF-PAD Byte L (CI=1) pad[padlen-1] = 0x02; |