From 7b65202e4711899680992b723c3c327bc2fd2983 Mon Sep 17 00:00:00 2001
From: wm4 <wm4@nowhere>
Date: Sat, 20 Oct 2012 20:50:40 +0200
Subject: osd_libass: fix stupid dangling pointer crash

append_utf8_buffer() reallocates the buffer passed to it, and returns
the new pointer.

This bug was originally introduced in mplayer2 when that project merged
mpv's osd_libass.c. That merge changed some minor things, including ASS
escape handling. When mpv used this better method of escape handling too
(commit 0ff7dd992fb0), the bug was duplicated.
---
 sub/osd_libass.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'sub')

diff --git a/sub/osd_libass.c b/sub/osd_libass.c
index de9f31b2cb..612bef2c56 100644
--- a/sub/osd_libass.c
+++ b/sub/osd_libass.c
@@ -246,7 +246,7 @@ static char *mangle_ass(const char *in)
         res = talloc_strndup_append_buffer(res, in, 1);
         // Break ASS escapes with U+2060 WORD JOINER
         if (*in == '\\')
-            append_utf8_buffer(res, 0x2060);
+            res = append_utf8_buffer(res, 0x2060);
         in++;
     }
     return res;
-- 
cgit v1.2.3


From a781fe14f729e0d3300e0e62aebbae1914d65cd4 Mon Sep 17 00:00:00 2001
From: wm4 <wm4@nowhere>
Date: Sat, 20 Oct 2012 20:58:46 +0200
Subject: osd_libass: increase robustness when handling internal OSD escapes

The \xFF escape is used internally to insert special OSD symbols (which
need a font change to the internal OSD font). There was potential for
breakage when \xFF was followed by \0, because then "in" would be
advanced past the string's end.

Normally this can't happen, as it would require invalid UTF-8 input
data. But we don't check input for UTF-8 validness, so there's a
potential issue here. Garbled output is ok on invalid UTF-8 input,
but crashing is not.

Make it more robust by checking for this.
---
 sub/osd_libass.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'sub')

diff --git a/sub/osd_libass.c b/sub/osd_libass.c
index 612bef2c56..29450535bc 100644
--- a/sub/osd_libass.c
+++ b/sub/osd_libass.c
@@ -234,7 +234,7 @@ static char *mangle_ass(const char *in)
     char *res = talloc_strdup(NULL, "");
     while (*in) {
         // As used by osd_get_function_sym().
-        if (in[0] == '\xFF') {
+        if (in[0] == '\xFF' && in[1]) {
             res = talloc_strdup_append_buffer(res, ASS_USE_OSD_FONT);
             res = append_utf8_buffer(res, OSD_CODEPOINTS + in[1]);
             res = talloc_strdup_append_buffer(res, "{\\r}");
-- 
cgit v1.2.3