Subtitle: fix off-by-one error during allocation before call to sscanf

Fix a crash when parsing subtitles. From the man page of sscanf:
"the next pointer must be a pointer to character array that is long
enough to hold the input sequence and the terminating null byte"

Signed-off-by: Ilkka Ollakka <ileoo@videolan.org>

diff --git a/modules/demux/subtitle.c b/modules/demux/subtitle.c
index 2a7c191932a9465fd53f43b1a8a7afe0aca821f4..29922cc00ad6a751eb773af02fc33440e695b1d6 100644 (file)
--- a/modules/demux/subtitle.c
+++ b/modules/demux/subtitle.c
@@ -1012,8 +1012,8 @@ static int subtitle_ParseSubRipTiming( subtitle_t *p_subtitle,
 {
     int i_result = VLC_EGENERIC;
     char *psz_start, *psz_stop;
-    psz_start = malloc( strlen(s) );
-    psz_stop = malloc( strlen(s) );
+    psz_start = malloc( strlen(s) + 1 );
+    psz_stop = malloc( strlen(s) + 1 );
 
     if( sscanf( s, "%s --> %s", psz_start, psz_stop) == 2 &&
         subtitle_ParseSubRipTimingValue( &p_subtitle->i_start, psz_start ) == VLC_SUCCESS &&