mov: Prevent illegal writes when chapter titles are very short.

diff --git a/libavformat/mov.c b/libavformat/mov.c
index 0e2ad1f..06057a2 100644 (file)
--- a/libavformat/mov.c
+++ b/libavformat/mov.c
@@ -2369,14 +2369,21 @@ static void mov_read_chapters(AVFormatContext *s)
         // The samples could theoretically be in any encoding if there's an encd
         // atom following, but in practice are only utf-8 or utf-16, distinguished
         // instead by the presence of a BOM
-        ch = avio_rb16(sc->pb);
-        if (ch == 0xfeff)
-            avio_get_str16be(sc->pb, len, title, title_len);
-        else if (ch == 0xfffe)
-            avio_get_str16le(sc->pb, len, title, title_len);
-        else {
-            AV_WB16(title, ch);
-            avio_get_str(sc->pb, len - 2, title + 2, title_len - 2);
+        if (!len) {
+            title[0] = 0;
+        } else {
+            ch = avio_rb16(sc->pb);
+            if (ch == 0xfeff)
+                avio_get_str16be(sc->pb, len, title, title_len);
+            else if (ch == 0xfffe)
+                avio_get_str16le(sc->pb, len, title, title_len);
+            else {
+                AV_WB16(title, ch);
+                if (len == 1 || len == 2)
+                    title[len] = '0';
+                else
+                    avio_get_str(sc->pb, len - 2, title + 2, title_len - 2);
+            }
         }
 
         ff_new_chapter(s, i, st->time_base, sample->timestamp, end, title);