From 1a6df94849be8acc88284e3262b22ffab2bcd2cc Mon Sep 17 00:00:00 2001 From: Rodeo Date: Wed, 10 Apr 2013 12:56:31 +0000 Subject: [PATCH] decssasub, dectx3gsub: fix writing past hb_buffer_t data[size - 1]. This is not safe and causes subtitle corruption. Same fix as SVN revision 5346 for the remaining text-based subtitle deocders. git-svn-id: svn://svn.handbrake.fr/HandBrake/trunk@5390 b64f7644-9d1e-0410-96f1-a4d463321fa5 --- libhb/decssasub.c | 17 +++++++++-------- libhb/dectx3gsub.c | 8 ++++---- 2 files changed, 13 insertions(+), 12 deletions(-) diff --git a/libhb/decssasub.c b/libhb/decssasub.c index b85ff0524..d648f1d9d 100644 --- a/libhb/decssasub.c +++ b/libhb/decssasub.c @@ -126,8 +126,8 @@ static hb_buffer_t *ssa_decode_line_to_mkv_ssa( hb_work_object_t * w, uint8_t *i static hb_buffer_t *ssa_decode_packet( hb_work_object_t * w, hb_buffer_t *in ) { // Store NULL after the end of the buffer to make using string processing safe - hb_buffer_realloc( in, in->size + 1 ); - in->data[in->size] = '\0'; + hb_buffer_realloc(in, ++in->size); + in->data[in->size - 1] = '\0'; hb_buffer_t *out_list = NULL; hb_buffer_t **nextPtr = &out_list; @@ -151,10 +151,10 @@ static hb_buffer_t *ssa_decode_packet( hb_work_object_t * w, hb_buffer_t *in ) // We shouldn't be storing the extra NULL character, // but the MP4 muxer expects this, unfortunately. - if ( out->size > 0 && out->data[out->size - 1] != '\0' ) { - // NOTE: out->size remains unchanged - hb_buffer_realloc( out, out->size + 1 ); - out->data[out->size] = '\0'; + if (out->size > 0 && out->data[out->size - 1] != '\0') + { + hb_buffer_realloc(out, ++out->size); + out->data[out->size - 1] = '\0'; } // If the input packet was non-empty, do not pass through @@ -352,8 +352,9 @@ static hb_buffer_t * ssa_to_mkv_ssa( hb_work_object_t * w, hb_buffer_t * in ) hb_buffer_t * out_last = NULL; hb_buffer_t * out_first = NULL; - hb_buffer_realloc( in, in->size + 1 ); - in->data[in->size] = '\0'; + // Store NULL after the end of the buffer to make using string processing safe + hb_buffer_realloc(in, ++in->size); + in->data[in->size - 1] = '\0'; const char *EOL = "\r\n"; char *curLine, *curLine_parserData; diff --git a/libhb/dectx3gsub.c b/libhb/dectx3gsub.c index b8d8c28be..a2231a4fb 100644 --- a/libhb/dectx3gsub.c +++ b/libhb/dectx3gsub.c @@ -214,10 +214,10 @@ static int dectx3gWork( hb_work_object_t * w, hb_buffer_t ** buf_in, if ( out != NULL ) { // We shouldn't be storing the extra NULL character, // but the MP4 muxer expects this, unfortunately. - if ( out->size > 0 && out->data[out->size - 1] != '\0' ) { - // NOTE: out->size remains unchanged - hb_buffer_realloc( out, out->size + 1 ); - out->data[out->size] = '\0'; + if (out->size > 0 && out->data[out->size - 1] != '\0') + { + hb_buffer_realloc(out, ++out->size); + out->data[out->size - 1] = '\0'; } // If the input packet was non-empty, do not pass through -- 2.40.0