aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorStefan Pöschel <github@basicmaster.de>2015-04-14 21:57:30 +0200
committerStefan Pöschel <github@basicmaster.de>2015-04-14 21:57:30 +0200
commitaa1a6638daa075abc8a5a42caf8a0ae45c5909d9 (patch)
tree775e9b948eaaf656c8546a4c29f61ef46cc22d06
parent2cf0f260ec3ed26035840ea5c956aed96e7a5853 (diff)
downloadfdk-aac-aa1a6638daa075abc8a5a42caf8a0ae45c5909d9.tar.gz
fdk-aac-aa1a6638daa075abc8a5a42caf8a0ae45c5909d9.tar.bz2
fdk-aac-aa1a6638daa075abc8a5a42caf8a0ae45c5909d9.zip
Fix out-of-bounds read at higher PAD length
If the MOT payload was smaller than the available space within the PAD of the first data group (e.g. MOT header), nonetheless the whole available space was filled up. Thereby an out-of-bounds read occured, outputting garbage to the unused remaining PAD space.
-rw-r--r--src/mot-encoder.cpp4
1 files changed, 3 insertions, 1 deletions
diff --git a/src/mot-encoder.cpp b/src/mot-encoder.cpp
index 0d8d8d6..34adba5 100644
--- a/src/mot-encoder.cpp
+++ b/src/mot-encoder.cpp
@@ -1085,9 +1085,11 @@ void writeMotPAD(int output_fd,
}
else {
firstseg = 0;
- curseglen = MIN(non_ci_seglen,mscdgsize-i);
+ curseglen = non_ci_seglen;
}
+ curseglen = MIN(curseglen, mscdgsize - i);
+
if (firstseg == 1) {
// FF-PAD Byte L (CI=1)
pad[padlen-1] = 0x02;