diff mbox series

[FFmpeg-devel,4/8] avcodec/realtextdec: do not overread if zero padding is missing

Message ID 20210313213345.3268-4-cus@passwd.hu
State New
Headers show
Series [FFmpeg-devel,1/8] avcodec/assdec: do not overread if zero padding is missing
Related show

Checks

Context Check Description
andriy/x86_make success Make finished
andriy/x86_make_fate success Make fate finished
andriy/PPC64_make success Make finished
andriy/PPC64_make_fate success Make fate finished

Commit Message

Marton Balint March 13, 2021, 9:33 p.m. UTC
Signed-off-by: Marton Balint <cus@passwd.hu>
---
 libavcodec/realtextdec.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)
diff mbox series

Patch

diff --git a/libavcodec/realtextdec.c b/libavcodec/realtextdec.c
index 5084781123..bdd9659235 100644
--- a/libavcodec/realtextdec.c
+++ b/libavcodec/realtextdec.c
@@ -29,11 +29,11 @@ 
 #include "libavutil/avstring.h"
 #include "libavutil/bprint.h"
 
-static int rt_event_to_ass(AVBPrint *buf, const char *p)
+static int rt_event_to_ass(AVBPrint *buf, const char *p, const char *pend)
 {
     int prev_chr_is_space = 1;
 
-    while (*p) {
+    while (p < pend && *p) {
         if (*p != '<') {
             if (!av_isspace(*p))
                 av_bprint_chars(buf, *p, 1);
@@ -41,7 +41,7 @@  static int rt_event_to_ass(AVBPrint *buf, const char *p)
                 av_bprint_chars(buf, ' ', 1);
             prev_chr_is_space = av_isspace(*p);
         } else {
-            const char *end = strchr(p, '>');
+            const char *end = av_strnstr(p, ">", pend - p);
             if (!end)
                 break;
             if (!av_strncasecmp(p, "<br/>", 5) ||
@@ -65,7 +65,7 @@  static int realtext_decode_frame(AVCodecContext *avctx,
     AVBPrint buf;
 
     av_bprint_init(&buf, 0, 4096);
-    if (ptr && avpkt->size > 0 && !rt_event_to_ass(&buf, ptr))
+    if (ptr && avpkt->size > 0 && !rt_event_to_ass(&buf, ptr, ptr + avpkt->size))
         ret = ff_ass_add_rect(sub, buf.str, s->readorder++, 0, NULL, NULL);
     av_bprint_finalize(&buf, NULL);
     if (ret < 0)