avcodec/dvdsub: fix partial packet assembly

Assuming the first and second packets are partial, this would append the reassembly buffer (ctx->buf) to itself with the second append_to_cached_buf() call, because buf is set to ctx->buf. I do not know a valid sample file which triggers this, and do not know if packets can be split into more than 2 sub-packets, but it triggered with a (differently) broken sample file in trac issue #4872.

avcodec/dvdsub: fix partial packet assembly
Assuming the first and second packets are partial, this would append the reassembly buffer (ctx->buf) to itself with the second append_to_cached_buf() call, because buf is set to ctx->buf. I do not know a valid sample file which triggers this, and do not know if packets can be split into more than 2 sub-packets, but it triggered with a (differently) broken sample file in trac issue #4872.
f874e272 · wm4 · 26eb2940 · f874e272
Commit f874e272 authored Sep 21, 2015 by wm4
Hide whitespace changes
Inline Side-by-side

Showing with 3 additions and 1 deletion

dvdsubdec.c libavcodec/dvdsubdec.c +3 -1

No files found.
--- a/libavcodec/dvdsubdec.c
+++ b/libavcodec/dvdsubdec.c
@@ -535,6 +535,7 @@ static int dvdsub_decode(AVCodecContext *avctx,
    const uint8_t *buf = avpkt->data;
    int buf_size = avpkt->size;
    AVSubtitle *sub = data;
+    int appended = 0;
    int is_menu;
    if (ctx->buf_size) {
@@ -545,12 +546,13 @@ static int dvdsub_decode(AVCodecContext *avctx,
        }
        buf = ctx->buf;
        buf_size = ctx->buf_size;
+        appended = 1;
    }
    is_menu = decode_dvd_subtitles(ctx, sub, buf, buf_size);
    if (is_menu == AVERROR(EAGAIN)) {
        *data_size = 0;
-        return append_to_cached_buf(avctx, buf, buf_size);
+        return appended ? 0 : append_to_cached_buf(avctx, buf, buf_size);
    }
    if (is_menu < 0) {