[FFmpeg-cvslog] movtextenc: fix pointer messup and out of array accesses

Michael Niedermayer git at videolan.org
Wed Feb 6 00:21:14 CET 2013


ffmpeg | branch: release/1.0 | Michael Niedermayer <michaelni at gmx.at> | Tue Feb  5 21:54:02 2013 +0100| [0c2a350762c398051797638a42ea07ce4baac80d] | committer: Carl Eugen Hoyos

movtextenc: fix pointer messup and out of array accesses

Fixes Ticket2213

Signed-off-by: Michael Niedermayer <michaelni at gmx.at>
(cherry picked from commit b0635e2fcf80717dd618ef75d3317d62ed85c300)

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=0c2a350762c398051797638a42ea07ce4baac80d
---

 libavcodec/movtextenc.c |    8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/libavcodec/movtextenc.c b/libavcodec/movtextenc.c
index 7f1b5b8..9b0a6c5 100644
--- a/libavcodec/movtextenc.c
+++ b/libavcodec/movtextenc.c
@@ -21,6 +21,7 @@
 
 #include <stdarg.h>
 #include "avcodec.h"
+#include "libavutil/avassert.h"
 #include "libavutil/avstring.h"
 #include "libavutil/intreadwrite.h"
 #include "ass_split.h"
@@ -87,15 +88,18 @@ static av_cold int mov_text_encode_init(AVCodecContext *avctx)
 static void mov_text_text_cb(void *priv, const char *text, int len)
 {
     MovTextContext *s = priv;
+    av_assert0(s->end >= s->ptr);
     av_strlcpy(s->ptr, text, FFMIN(s->end - s->ptr, len + 1));
-    s->ptr += len;
+    s->ptr += FFMIN(s->end - s->ptr, len);
 }
 
 static void mov_text_new_line_cb(void *priv, int forced)
 {
     MovTextContext *s = priv;
+    av_assert0(s->end >= s->ptr);
     av_strlcpy(s->ptr, "\n", FFMIN(s->end - s->ptr, 2));
-    s->ptr++;
+    if (s->end > s->ptr)
+        s->ptr++;
 }
 
 static const ASSCodesCallbacks mov_text_callbacks = {



More information about the ffmpeg-cvslog mailing list