From 752e6dfa3ea97e7901870bdd9e5a51f860607240 Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <michael@niedermayer.cc>
Date: Fri, 9 Sep 2016 10:26:15 +0200
Subject: [PATCH] avcodec/ccaption_dec: Use simple array instead of AVBuffer

This is simpler and fixes an out of array read, fixing it with AVBuffers
would be more complex

Fixes: e00d9e6e50e5495cc93fea41147b97bb/asan_heap-oob_12dcdbb_8798_b32a97ea722dd37bb5066812cc674552.mov

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/ccaption_dec.c | 27 +++++++++++----------------
 1 file changed, 11 insertions(+), 16 deletions(-)

diff --git a/libavcodec/ccaption_dec.c b/libavcodec/ccaption_dec.c
index b38a391011b..33e2130f8e5 100644
--- a/libavcodec/ccaption_dec.c
+++ b/libavcodec/ccaption_dec.c
@@ -247,7 +247,8 @@ typedef struct CCaptionSubContext {
     int64_t last_real_time;
     char prev_cmd[2];
     /* buffer to store pkt data */
-    AVBufferRef *pktbuf;
+    uint8_t *pktbuf;
+    int pktbuf_size;
     int readorder;
 } CCaptionSubContext;
 
@@ -274,11 +275,7 @@ static av_cold int init_decoder(AVCodecContext *avctx)
     if (ret < 0) {
         return ret;
     }
-    /* allocate pkt buffer */
-    ctx->pktbuf = av_buffer_alloc(128);
-    if (!ctx->pktbuf) {
-        ret = AVERROR(ENOMEM);
-    }
+
     return ret;
 }
 
@@ -286,7 +283,8 @@ static av_cold int close_decoder(AVCodecContext *avctx)
 {
     CCaptionSubContext *ctx = avctx->priv_data;
     av_bprint_finalize(&ctx->buffer, NULL);
-    av_buffer_unref(&ctx->pktbuf);
+    av_freep(&ctx->pktbuf);
+    ctx->pktbuf_size = 0;
     return 0;
 }
 
@@ -759,16 +757,13 @@ static int decode(AVCodecContext *avctx, void *data, int *got_sub, AVPacket *avp
     int ret = 0;
     int i;
 
-    if (ctx->pktbuf->size < len) {
-        ret = av_buffer_realloc(&ctx->pktbuf, len);
-         if (ret < 0) {
-            av_log(ctx, AV_LOG_WARNING, "Insufficient Memory of %d truncated to %d\n", len, ctx->pktbuf->size);
-            len = ctx->pktbuf->size;
-            ret = 0;
-        }
+    av_fast_padded_malloc(&ctx->pktbuf, &ctx->pktbuf_size, len);
+    if (!ctx->pktbuf) {
+        av_log(ctx, AV_LOG_WARNING, "Insufficient Memory of %d truncated to %d\n", len, ctx->pktbuf_size);
+        return AVERROR(ENOMEM);
     }
-    memcpy(ctx->pktbuf->data, avpkt->data, len);
-    bptr = ctx->pktbuf->data;
+    memcpy(ctx->pktbuf, avpkt->data, len);
+    bptr = ctx->pktbuf;
 
     for (i  = 0; i < len; i += 3) {
         uint8_t cc_type = *(bptr + i) & 3;
-- 
GitLab