decssasub, dectx3gsub: fix writing past hb_buffer_t data[size - 1].

This is not safe and causes subtitle corruption.

Same fix as SVN revision 5346 for the remaining text-based subtitle deocders.

git-svn-id: svn://svn.handbrake.fr/HandBrake/trunk@5390 b64f7644-9d1e-0410-96f1-a4d463321fa5

diff --git a/libhb/decssasub.c b/libhb/decssasub.c
index b85ff0524e3d25976e5000f8a0bda0897bde4c13..d648f1d9d06070369074b9bcd6fd8a101b6467f5 100644 (file)
--- a/libhb/decssasub.c
+++ b/libhb/decssasub.c
@@ -126,8 +126,8 @@ static hb_buffer_t *ssa_decode_line_to_mkv_ssa( hb_work_object_t * w, uint8_t *i
 static hb_buffer_t *ssa_decode_packet( hb_work_object_t * w, hb_buffer_t *in )
 {
     // Store NULL after the end of the buffer to make using string processing safe
-    hb_buffer_realloc( in, in->size + 1 );
-    in->data[in->size] = '\0';
+    hb_buffer_realloc(in, ++in->size);
+    in->data[in->size - 1] = '\0';
     
     hb_buffer_t *out_list = NULL;
     hb_buffer_t **nextPtr = &out_list;
@@ -151,10 +151,10 @@ static hb_buffer_t *ssa_decode_packet( hb_work_object_t * w, hb_buffer_t *in )
             
             // We shouldn't be storing the extra NULL character,
             // but the MP4 muxer expects this, unfortunately.
-            if ( out->size > 0 && out->data[out->size - 1] != '\0' ) {
-                // NOTE: out->size remains unchanged
-                hb_buffer_realloc( out, out->size + 1 );
-                out->data[out->size] = '\0';
+            if (out->size > 0 && out->data[out->size - 1] != '\0')
+            {
+                hb_buffer_realloc(out, ++out->size);
+                out->data[out->size - 1] = '\0';
             }
             
             // If the input packet was non-empty, do not pass through
@@ -352,8 +352,9 @@ static hb_buffer_t * ssa_to_mkv_ssa( hb_work_object_t * w,  hb_buffer_t * in )
     hb_buffer_t * out_last = NULL;
     hb_buffer_t * out_first = NULL;
 
-    hb_buffer_realloc( in, in->size + 1 );
-    in->data[in->size] = '\0';
+    // Store NULL after the end of the buffer to make using string processing safe
+    hb_buffer_realloc(in, ++in->size);
+    in->data[in->size - 1] = '\0';
 
     const char *EOL = "\r\n";
     char *curLine, *curLine_parserData;

diff --git a/libhb/dectx3gsub.c b/libhb/dectx3gsub.c
index b8d8c28be40e7ea08428611a9a516fde36cdbf70..a2231a4fbebab8771abe7f54c7ee9f24e98f65e6 100644 (file)
--- a/libhb/dectx3gsub.c
+++ b/libhb/dectx3gsub.c
@@ -214,10 +214,10 @@ static int dectx3gWork( hb_work_object_t * w, hb_buffer_t ** buf_in,
     if ( out != NULL ) {
         // We shouldn't be storing the extra NULL character,
         // but the MP4 muxer expects this, unfortunately.
-        if ( out->size > 0 && out->data[out->size - 1] != '\0' ) {
-            // NOTE: out->size remains unchanged
-            hb_buffer_realloc( out, out->size + 1 );
-            out->data[out->size] = '\0';
+        if (out->size > 0 && out->data[out->size - 1] != '\0')
+        {
+            hb_buffer_realloc(out, ++out->size);
+            out->data[out->size - 1] = '\0';
         }
         
         // If the input packet was non-empty, do not pass through