On Thu, Jan 08, 2015 at 05:19:17PM +0100, wm4 wrote:
> dvdsub_decode() can call append_to_cached_buf() 2 times, the second time
> with ctx->buf as argument. If the second append_to_cached_buf() reallocs
> ctx->buf, the argument will be a pointer to the previous, freed block.
> This can cause invali
dvdsub_decode() can call append_to_cached_buf() 2 times, the second time
with ctx->buf as argument. If the second append_to_cached_buf() reallocs
ctx->buf, the argument will be a pointer to the previous, freed block.
This can cause invalid reads at least with some fuzzed files - and
possibly with v
