From b0635e2fcf80717dd618ef75d3317d62ed85c300 Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <michaelni@gmx.at>
Date: Tue, 5 Feb 2013 21:54:02 +0100
Subject: movtextenc: fix pointer messup and out of array accesses

Fixes Ticket2187

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
---
 libavcodec/movtextenc.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

(limited to 'libavcodec/movtextenc.c')

diff --git a/libavcodec/movtextenc.c b/libavcodec/movtextenc.c
index 7f1b5b830f..9b0a6c5bce 100644
--- a/libavcodec/movtextenc.c
+++ b/libavcodec/movtextenc.c
@@ -21,6 +21,7 @@
 
 #include <stdarg.h>
 #include "avcodec.h"
+#include "libavutil/avassert.h"
 #include "libavutil/avstring.h"
 #include "libavutil/intreadwrite.h"
 #include "ass_split.h"
@@ -87,15 +88,18 @@ static av_cold int mov_text_encode_init(AVCodecContext *avctx)
 static void mov_text_text_cb(void *priv, const char *text, int len)
 {
     MovTextContext *s = priv;
+    av_assert0(s->end >= s->ptr);
     av_strlcpy(s->ptr, text, FFMIN(s->end - s->ptr, len + 1));
-    s->ptr += len;
+    s->ptr += FFMIN(s->end - s->ptr, len);
 }
 
 static void mov_text_new_line_cb(void *priv, int forced)
 {
     MovTextContext *s = priv;
+    av_assert0(s->end >= s->ptr);
     av_strlcpy(s->ptr, "\n", FFMIN(s->end - s->ptr, 2));
-    s->ptr++;
+    if (s->end > s->ptr)
+        s->ptr++;
 }
 
 static const ASSCodesCallbacks mov_text_callbacks = {
-- 
cgit v1.2.3