-
wm4 authored
dvdsub_decode() can call append_to_cached_buf() 2 times, the second time with ctx->buf as argument. If the second append_to_cached_buf() reallocs ctx->buf, the argument will be a pointer to the previous, freed block. This can cause invalid reads at least with some fuzzed files - and possibly with valid files. Since packets can apparently not be larger than 64K (even if packets are combined), just use a fixed size buffer. It will be allocated as part of the DVDSubContext, and although some memory is "wasted", it's relatively minimal by modern standards and should be acceptable. Signed-off-by:Michael Niedermayer <michaelni@gmx.at>
81657771
