Good question. Since text_pos_chars never exceeds the existing variable text_pos, I did not think about this.
No, there are no checks. The spec says that "Authors should limit the string in each text sample to not more than 2048 bytes, for maximum terminal interoperability", but the code does not enforce this limit (or the maximum uint16_t value of 65535 for that matter). The likeli- hood of exceeding this limit is very small, but it does not hurt to add a check. In any case text_pos >= text_pos_chars, so it should be sufficient to check just text_pos. In mov_text_new_line_cb we only increment by 1, so checking if s->text_pos == 0 after that is enough. In mov_text_text_cb this check can be used instead, placed before the length len is added to text_pos: if (len > UINT16_MAX || (s->text_pos > UINT16_MAX - len)) // Overflow I am new to the project's source code and do not know how errors and warnings should be handled, but could it be an idea to print a warning if text_pos > 2048, and print an error message and abort in case of overflow? Or should the rest of the text just be truncated? PS. Please excuse the duplicate patch that was sent an hour or two ago. It is identical to the one I submitted a couple of days ago and I have no idea why or how that happened. _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-devel
