From f5dd1eb7b5441cf65e9b68c51717d489fc21b155 Mon Sep 17 00:00:00 2001
From: Aurelien Jacobs <aurel@gnuage.org>
Date: Sun, 2 Jan 2011 23:40:30 +0000
Subject: srtdec: ensure we don't read 1 byte after buffer end if the buffer is
 not properly terminated.

Originally committed as revision 26201 to svn://svn.ffmpeg.org/ffmpeg/trunk
---
 libavcodec/srtdec.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

(limited to 'libavcodec/srtdec.c')

diff --git a/libavcodec/srtdec.c b/libavcodec/srtdec.c
index 42eae322d1..adbae514c7 100644
--- a/libavcodec/srtdec.c
+++ b/libavcodec/srtdec.c
@@ -65,7 +65,7 @@ static const char *srt_to_ass(AVCodecContext *avctx, char *out, char *out_end,
             out += snprintf(out, out_end-out, "{\\an1}{\\pos(%d,%d)}", x1, y1);
     }
 
-    for (; *in && out < out_end && !end; in++) {
+    for (; out < out_end && !end && *in; in++) {
         switch (*in) {
         case '\r':
             break;
@@ -211,13 +211,14 @@ static int srt_decode_frame(AVCodecContext *avctx,
     int ts_start, ts_end, x1 = -1, y1 = -1, x2 = -1, y2 = -1;
     char buffer[2048];
     const char *ptr = avpkt->data;
+    const char *end = avpkt->data + avpkt->size;
 
     if (avpkt->size <= 0)
         return avpkt->size;
 
     ff_ass_init(sub);
 
-    while (*ptr) {
+    while (ptr < end && *ptr) {
         ptr = read_ts(ptr, &ts_start, &ts_end, &x1, &y1, &x2, &y2);
         if (!ptr)
             break;
-- 
cgit v1.2.3