From 5c18bcfd9cb6b4bbb40d487b52226ed5cf79320e Mon Sep 17 00:00:00 2001
From: Alex Converse <alex.converse@gmail.com>
Date: Thu, 13 Oct 2011 14:47:06 -0700
Subject: [PATCH] mov: Prevent illegal writes when chapter titles are very
 short.

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
---
 libavformat/mov.c | 23 +++++++++++++++--------
 1 file changed, 15 insertions(+), 8 deletions(-)

diff --git a/libavformat/mov.c b/libavformat/mov.c
index cdba33dcb0..553abc246a 100644
--- a/libavformat/mov.c
+++ b/libavformat/mov.c
@@ -2402,14 +2402,21 @@ static void mov_read_chapters(AVFormatContext *s)
         // The samples could theoretically be in any encoding if there's an encd
         // atom following, but in practice are only utf-8 or utf-16, distinguished
         // instead by the presence of a BOM
-        ch = avio_rb16(sc->pb);
-        if (ch == 0xfeff)
-            avio_get_str16be(sc->pb, len, title, title_len);
-        else if (ch == 0xfffe)
-            avio_get_str16le(sc->pb, len, title, title_len);
-        else {
-            AV_WB16(title, ch);
-            get_strz(sc->pb, title + 2, len - 1);
+        if (!len) {
+            title[0] = 0;
+        } else {
+            ch = avio_rb16(sc->pb);
+            if (ch == 0xfeff)
+                avio_get_str16be(sc->pb, len, title, title_len);
+            else if (ch == 0xfffe)
+                avio_get_str16le(sc->pb, len, title, title_len);
+            else {
+                AV_WB16(title, ch);
+                if (len == 1 || len == 2)
+                    title[len] = '0';
+                else
+                    get_strz(sc->pb, title + 2, len - 1);
+            }
         }
 
         ff_new_chapter(s, i, st->time_base, sample->timestamp, end, title);