X-Git-Url: https://git.sesse.net/?a=blobdiff_plain;f=libavcodec%2Fmovtextdec.c;h=81fd1d6deb41caab01b5c096772b97e84b5b9c5c;hb=b921b3b42b61a3dff19157bf3eec1f6f38a2cae7;hp=a33fff7518c537ee5a05016ac379375385de8e1a;hpb=a0bc6b51d4f6d01eb4bcaec5489ca67037687a77;p=ffmpeg diff --git a/libavcodec/movtextdec.c b/libavcodec/movtextdec.c index a33fff7518c..81fd1d6deb4 100644 --- a/libavcodec/movtextdec.c +++ b/libavcodec/movtextdec.c @@ -116,6 +116,8 @@ static void mov_text_cleanup(MovTextContext *m) av_freep(&m->s[i]); } av_freep(&m->s); + m->count_s = 0; + m->style_entries = 0; } } @@ -279,12 +281,14 @@ static int decode_hclr(const uint8_t *tsmb, MovTextContext *m, AVPacket *avpkt) static int decode_styl(const uint8_t *tsmb, MovTextContext *m, AVPacket *avpkt) { int i; - m->style_entries = AV_RB16(tsmb); + int style_entries = AV_RB16(tsmb); tsmb += 2; // A single style record is of length 12 bytes. - if (m->tracksize + m->size_var + 2 + m->style_entries * 12 > avpkt->size) + if (m->tracksize + m->size_var + 2 + style_entries * 12 > avpkt->size) return -1; + m->style_entries = style_entries; + m->box_flags |= STYL_BOX; for(i = 0; i < m->style_entries; i++) { m->s_temp = av_malloc(sizeof(*m->s_temp)); @@ -471,10 +475,6 @@ static int mov_text_decode_frame(AVCodecContext *avctx, tsmb_type = AV_RB32(tsmb); tsmb += 4; - if (tsmb_size == 0) { - return AVERROR_INVALIDDATA; - } - if (tsmb_size == 1) { if (m->tracksize + 16 > avpkt->size) break; @@ -485,7 +485,12 @@ static int mov_text_decode_frame(AVCodecContext *avctx, m->size_var = 8; //size_var is equal to 8 or 16 depending on the size of box - if (m->tracksize + tsmb_size > avpkt->size) + if (tsmb_size == 0) { + av_log(avctx, AV_LOG_ERROR, "tsmb_size is 0\n"); + return AVERROR_INVALIDDATA; + } + + if (tsmb_size > avpkt->size - m->tracksize) break; for (size_t i = 0; i < box_count; i++) {