[FFmpeg-devel] [PATCH 7/8] avcodec/srtdec: do not overread if zero padding is missing

[Marton Balint]

Signed-off-by: Marton Balint <cus at passwd.hu>
---
 libavcodec/srtdec.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/libavcodec/srtdec.c b/libavcodec/srtdec.c
index 98f84ac673..37fb0d3173 100644
--- a/libavcodec/srtdec.c
+++ b/libavcodec/srtdec.c
@@ -62,6 +62,7 @@ static int srt_decode_frame(AVCodecContext *avctx,
     buffer_size_t size;
     const uint8_t *p = av_packet_get_side_data(avpkt, AV_PKT_DATA_SUBTITLE_POSITION, &size);
     FFASSDecoderContext *s = avctx->priv_data;
+    char *dup;
 
     if (p && size == 16) {
         x1 = AV_RL32(p     );
@@ -73,12 +74,17 @@ static int srt_decode_frame(AVCodecContext *avctx,
     if (avpkt->size <= 0)
         return avpkt->size;
 
+    dup = av_strndup(avpkt->data, avpkt->size);
+    if (!dup)
+        return AVERROR(ENOMEM);
+
     av_bprint_init(&buffer, 0, AV_BPRINT_SIZE_UNLIMITED);
 
-    ret = srt_to_ass(avctx, &buffer, avpkt->data, x1, y1, x2, y2);
+    ret = srt_to_ass(avctx, &buffer, dup, x1, y1, x2, y2);
     if (ret >= 0)
         ret = ff_ass_add_rect(sub, buffer.str, s->readorder++, 0, NULL, NULL);
     av_bprint_finalize(&buffer, NULL);
+    av_free(dup);
     if (ret < 0)
         return ret;
 
-- 
2.26.2