From f874e2728b0925b2ec30dd7ec64815f15078c06f Mon Sep 17 00:00:00 2001 From: wm4 Date: Mon, 21 Sep 2015 18:16:35 +0200 Subject: [PATCH] avcodec/dvdsub: fix partial packet assembly Assuming the first and second packets are partial, this would append the reassembly buffer (ctx->buf) to itself with the second append_to_cached_buf() call, because buf is set to ctx->buf. I do not know a valid sample file which triggers this, and do not know if packets can be split into more than 2 sub-packets, but it triggered with a (differently) broken sample file in trac issue #4872. --- libavcodec/dvdsubdec.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavcodec/dvdsubdec.c b/libavcodec/dvdsubdec.c index 81432e13a6..57eafbf270 100644 --- a/libavcodec/dvdsubdec.c +++ b/libavcodec/dvdsubdec.c @@ -535,6 +535,7 @@ static int dvdsub_decode(AVCodecContext *avctx, const uint8_t *buf = avpkt->data; int buf_size = avpkt->size; AVSubtitle *sub = data; + int appended = 0; int is_menu; if (ctx->buf_size) { @@ -545,12 +546,13 @@ static int dvdsub_decode(AVCodecContext *avctx, } buf = ctx->buf; buf_size = ctx->buf_size; + appended = 1; } is_menu = decode_dvd_subtitles(ctx, sub, buf, buf_size); if (is_menu == AVERROR(EAGAIN)) { *data_size = 0; - return append_to_cached_buf(avctx, buf, buf_size); + return appended ? 0 : append_to_cached_buf(avctx, buf, buf_size); } if (is_menu < 0) {