[FFmpeg-devel] [PATCH 6/8] avcodec/webvttdec: do not overread if zero padding is missing

[Marton Balint]

Signed-off-by: Marton Balint <cus at passwd.hu>
---
 libavcodec/webvttdec.c | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/libavcodec/webvttdec.c b/libavcodec/webvttdec.c
index 7b2d1750de..43caf3edbd 100644
--- a/libavcodec/webvttdec.c
+++ b/libavcodec/webvttdec.c
@@ -42,23 +42,23 @@ static const struct {
     {"&", "&"}, {" ", "\\h"},
 };
 
-static int webvtt_event_to_ass(AVBPrint *buf, const char *p)
+static int webvtt_event_to_ass(AVBPrint *buf, const char *p, const char *pend)
 {
     int i, again = 0, skip = 0;
 
-    while (*p) {
+    while (p < pend && *p) {
 
         for (i = 0; i < FF_ARRAY_ELEMS(webvtt_tag_replace); i++) {
             const char *from = webvtt_tag_replace[i].from;
             const size_t len = strlen(from);
-            if (!strncmp(p, from, len)) {
+            if (pend - p >= len && !strncmp(p, from, len)) {
                 av_bprintf(buf, "%s", webvtt_tag_replace[i].to);
                 p += len;
                 again = 1;
                 break;
             }
         }
-        if (!*p)
+        if (p == pend || !*p)
             break;
 
         if (again) {
@@ -89,7 +89,7 @@ static int webvtt_decode_frame(AVCodecContext *avctx,
     AVBPrint buf;
 
     av_bprint_init(&buf, 0, AV_BPRINT_SIZE_UNLIMITED);
-    if (ptr && avpkt->size > 0 && !webvtt_event_to_ass(&buf, ptr))
+    if (ptr && avpkt->size > 0 && !webvtt_event_to_ass(&buf, ptr, ptr + avpkt->size))
         ret = ff_ass_add_rect(sub, buf.str, s->readorder++, 0, NULL, NULL);
     av_bprint_finalize(&buf, NULL);
     if (ret < 0)
-- 
2.26.2