Credit to OSS-Fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detai…

…l?id=64151 nul-terminate buf to avoid out-of-bounds read
kevinbackhouse · Feb 12, 2024 · 79ab2f6 · 79ab2f6
1 parent 9d45a1d
commit 79ab2f6
Showing 1 changed file with 4 additions and 2 deletions.
diff --git a/src/quicktimevideo.cpp b/src/quicktimevideo.cpp
@@ -906,7 +906,7 @@ void QuickTimeVideo::userDataDecoder(size_t size_external) {
 
 void QuickTimeVideo::NikonTagsDecoder(size_t size_external) {
   size_t cur_pos = io_->tell();
-  DataBuf buf(200);
+  DataBuf buf(201);
   DataBuf buf2(4 + 1);
   uint32_t TagID = 0;
   uint16_t dataLength = 0;
@@ -1027,14 +1027,16 @@ void QuickTimeVideo::NikonTagsDecoder(size_t size_external) {
       std::memset(buf.data(), 0x0, buf.size());
 
       // Sanity check with an "unreasonably" large number
-      if (dataLength > 200) {
+      if (dataLength >= buf.size()) {
 #ifndef SUPPRESS_WARNINGS
         EXV_ERROR << "Xmp.video Nikon Tags, dataLength was found to be larger than 200."
                   << " Entries considered invalid. Not Processed.\n";
 #endif
         io_->seek(io_->tell() + dataLength, BasicIo::beg);
+        buf.data()[0] = '\0';
       } else {
         io_->readOrThrow(buf.data(), dataLength);
+        buf.data()[dataLength] = '\0';
       }
 
       if (td) {