movtextenc: fix pointer messup and out of array accesses

Fixes Ticket2213 Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit b0635e2fcf80717dd618ef75d3317d62ed85c300)
author: Michael Niedermayer <michaelni@gmx.at> 2013-02-05 21:54:02 +0100
committer: Carl Eugen Hoyos <cehoyos@ag.or.at> 2013-02-06 00:07:02 +0100
commit: a55c274f519fad74b949a768e5d526775c4deaa6 (patch)
tree: 76bb7262019ad88ad37cb2dfe6d42030a609b75f
parent: eaa9d2cd6b8c1e2722d5bfc56ea67fde865200ce (diff)
download: ffmpeg-a55c274f519fad74b949a768e5d526775c4deaa6.tar.gz
1 files changed, 6 insertions, 2 deletions
diff --git a/libavcodec/movtextenc.c b/libavcodec/movtextenc.c
index 7f1b5b830f..9b0a6c5bce 100644
--- a/libavcodec/movtextenc.c
+++ b/libavcodec/movtextenc.c
@@ -21,6 +21,7 @@
 
 #include <stdarg.h>
 #include "avcodec.h"
+#include "libavutil/avassert.h"
 #include "libavutil/avstring.h"
 #include "libavutil/intreadwrite.h"
 #include "ass_split.h"
@@ -87,15 +88,18 @@ static av_cold int mov_text_encode_init(AVCodecContext *avctx)
 static void mov_text_text_cb(void *priv, const char *text, int len)
 {
     MovTextContext *s = priv;
+    av_assert0(s->end >= s->ptr);
     av_strlcpy(s->ptr, text, FFMIN(s->end - s->ptr, len + 1));
-    s->ptr += len;
+    s->ptr += FFMIN(s->end - s->ptr, len);
 }
 
 static void mov_text_new_line_cb(void *priv, int forced)
 {
     MovTextContext *s = priv;
+    av_assert0(s->end >= s->ptr);
     av_strlcpy(s->ptr, "\n", FFMIN(s->end - s->ptr, 2));
-    s->ptr++;
+    if (s->end > s->ptr)
+        s->ptr++;
 }
 
 static const ASSCodesCallbacks mov_text_callbacks = {
author	Michael Niedermayer <michaelni@gmx.at>	2013-02-05 21:54:02 +0100
committer	Carl Eugen Hoyos <cehoyos@ag.or.at>	2013-02-06 00:07:02 +0100
commit	a55c274f519fad74b949a768e5d526775c4deaa6 (patch)
tree	76bb7262019ad88ad37cb2dfe6d42030a609b75f
parent	eaa9d2cd6b8c1e2722d5bfc56ea67fde865200ce (diff)
download	ffmpeg-a55c274f519fad74b949a768e5d526775c4deaa6.tar.gz