From c8b4a3fa1c68276f4adc3ae185e9085362998199 Mon Sep 17 00:00:00 2001
From: jeanlf <jeanlf@gpac.io>
Date: Mon, 30 Aug 2021 16:57:38 +0200
Subject: [PATCH] [PATCH] fixed #1897

Gbp-Pq: Name CVE-2021-40574.patch
---
 src/filters/load_text.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/src/filters/load_text.c b/src/filters/load_text.c
index a528b5b..9447647 100644
--- a/src/filters/load_text.c
+++ b/src/filters/load_text.c
@@ -233,7 +233,7 @@ char *gf_text_get_utf8_line(char *szLine, u32 lineSize, FILE *txt_in, s32 unicod
 {
 	u32 i, j, len;
 	char *sOK;
-	char szLineConv[1024];
+	char szLineConv[2048];
 	unsigned short *sptr;
 
 	memset(szLine, 0, sizeof(char)*lineSize);
@@ -305,7 +305,7 @@ char *gf_text_get_utf8_line(char *szLine, u32 lineSize, FILE *txt_in, s32 unicod
 		}
 	}
 	sptr = (u16 *)szLine;
-	i = (u32) gf_utf8_wcstombs(szLineConv, 1024, (const unsigned short **) &sptr);
+	i = (u32) gf_utf8_wcstombs(szLineConv, 2048, (const unsigned short **) &sptr);
 	szLineConv[i] = 0;
 	strcpy(szLine, szLineConv);
 	/*this is ugly indeed: since input is UTF16-LE, there are many chances the gf_fgets never reads the \0 after a \n*/
@@ -1795,6 +1795,8 @@ static GF_Err gf_text_process_sub(GF_Filter *filter, GF_TXTIn *ctx)
 		while (szLine[i+1] && szLine[i+1]!='}') {
 			szTime[i] = szLine[i+1];
 			i++;
+			if (i>=19)
+				break;
 		}
 		szTime[i] = 0;
 		ctx->start = atoi(szTime);
-- 
2.30.2