[vlc-commits] subsdec: Fix potential out of bound reads

Yannay Livneh git at videolan.org
Thu Apr 6 16:38:07 CEST 2017 

vlc/vlc-2.2 | branch: master | Yannay Livneh <yannayl at checkpoint.com> | Thu Apr  6 11:18:46 2017 +0200| [7cac839692ab79dbfe5e4ebd4c4e37d9a8b1b328] | committer: Hugo Beauzée-Luyssen

subsdec: Fix potential out of bound reads

Report and patch by: Yannay Livneh <yannayl at checkpoint.com>
                     Omri Herscovici <omrih at checkpoint.com>
                     Omer Gull <omergu at checkpoint.com>

Signed-off-by: Hugo Beauzée-Luyssen <hugo at beauzee.fr>

> http://git.videolan.org/gitweb.cgi/vlc/vlc-2.2.git/?a=commit;h=7cac839692ab79dbfe5e4ebd4c4e37d9a8b1b328
---

 modules/codec/subsdec.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/modules/codec/subsdec.c b/modules/codec/subsdec.c
index 1b4276e..addd8c7 100644
--- a/modules/codec/subsdec.c
+++ b/modules/codec/subsdec.c
@@ -664,7 +664,7 @@ static char *CreateHtmlSubtitle( int *pi_align, char *psz_subtitle )
                 HtmlCopy( &psz_html, &psz_subtitle, "<font " );
                 HtmlPut( &psz_tag, "f" );
 
-                while( *psz_subtitle != '>' )
+                while( *psz_subtitle != '>' && *psz_subtitle)
                 {
                     int  k;
 
@@ -722,7 +722,7 @@ static char *CreateHtmlSubtitle( int *pi_align, char *psz_subtitle )
                                 i_len++;
                         }
                         /* Not a tag, something else we do not understand */
-                        if( i_len == 0 )
+                        if( i_len == 0 && *psz_subtitle != '\0' )
                             psz_subtitle++;
 
                         psz_subtitle += i_len;
@@ -731,6 +731,7 @@ static char *CreateHtmlSubtitle( int *pi_align, char *psz_subtitle )
                     HtmlNPut( &psz_html, psz_subtitle, strspn(psz_subtitle, " ") );
                 }
                 HtmlPut( &psz_html, ">" );
+                if (*psz_subtitle == '\0') break;
                 psz_subtitle++;
             }
             else if( !strncmp( psz_subtitle, "</", 2 ))
@@ -912,7 +913,7 @@ static char *CreateHtmlSubtitle( int *pi_align, char *psz_subtitle )
             }
             psz_subtitle = strchr( psz_subtitle, '}' ) + 1;
         }
-        else if( psz_subtitle[0] == '{' &&  psz_subtitle[2] == ':' && strchr( psz_subtitle, '}' ) )
+        else if( psz_subtitle[0] == '{' &&  psz_subtitle[1] != '\0' && psz_subtitle[2] == ':' && strchr( psz_subtitle, '}' ) )
         {
             // Hide other {x:y} atrocities, like {c:$bbggrr} or {P:x}
             psz_subtitle = strchr( psz_subtitle, '}' ) + 1;

More information about the vlc-commits mailing list