From 4602023991ab63c6b47f091795cd6fa393b41c2c Mon Sep 17 00:00:00 2001
From: Laurent Aimar <fenrir@videolan.org>
Date: Tue, 23 Feb 2010 23:31:57 +0100
Subject: [PATCH] Fixed invalid accesses in decoder with corrupted subtitles
 streams.

---
 modules/codec/subtitles/subsdec.c | 15 ++++++++++-----
 1 file changed, 10 insertions(+), 5 deletions(-)

diff --git a/modules/codec/subtitles/subsdec.c b/modules/codec/subtitles/subsdec.c
index ab6fba21b7..b2243163de 100644
--- a/modules/codec/subtitles/subsdec.c
+++ b/modules/codec/subtitles/subsdec.c
@@ -435,10 +435,11 @@ static subpicture_t *ParseText( decoder_t *p_dec, block_t *p_block )
     }
 
     /* Should be resiliant against bad subtitles */
-    psz_subtitle = strndup( (const char *)p_block->p_buffer,
-                            p_block->i_buffer );
+    psz_subtitle = malloc( p_block->i_buffer + 1 );
     if( psz_subtitle == NULL )
         return NULL;
+    memcpy( psz_subtitle, p_block->p_buffer, p_block->i_buffer );
+    psz_subtitle[p_block->i_buffer] = '\0';
 
     if( p_sys->iconv_handle == (vlc_iconv_t)-1 )
     {
@@ -794,9 +795,13 @@ static char *CreateHtmlSubtitle( int *pi_align, char *psz_subtitle )
                     if( psz_attribs[ k ] == NULL )
                     {
                         /* Jump over unrecognised tag */
-                        int i_len = strcspn( psz_subtitle, "\"" ) + 1;
-
-                        i_len += strcspn( psz_subtitle + i_len, "\"" ) + 1;
+                        int i_len = strcspn( psz_subtitle, "\"" );
+                        if( psz_subtitle[i_len] == '\"' )
+                        {
+                            i_len += 1 + strcspn( &psz_subtitle[i_len + 1], "\"" );
+                            if( psz_subtitle[i_len] == '\"' )
+                                i_len++;
+                        }
                         psz_subtitle += i_len;
                     }
                     while (*psz_subtitle == ' ')
-- 
2.39.5