From 46191a2da16f751e53d93646ae1388d421d12bee Mon Sep 17 00:00:00 2001
From: Anton Khirnov <anton@khirnov.net>
Date: Sat, 17 Dec 2016 14:17:20 +0100
Subject: [PATCH] mov: fix a possible invalid read in mov_read_mac_string()

When the input string is too large, so the second condition in if ()
fails, the code will erroneously execute the else branch, indexing the
mac_to_unicode table with a negative index.

CC: libav-stable@libav.org
Bug-Id: 1000
Found-By: Kamil Frankowicz
---
 libavformat/mov.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/libavformat/mov.c b/libavformat/mov.c
index 7fe639dd5e..ed10a15625 100644
--- a/libavformat/mov.c
+++ b/libavformat/mov.c
@@ -161,7 +161,11 @@ static int mov_read_mac_string(MOVContext *c, AVIOContext *pb, int len,
 
     for (i = 0; i < len; i++) {
         uint8_t t, c = avio_r8(pb);
-        if (c < 0x80 && p < end)
+
+        if (p >= end)
+            continue;
+
+        if (c < 0x80)
             *p++ = c;
         else
             PUT_UTF8(mac_to_unicode[c-0x80], t, if (p < end) *p++ = t;);