[vlc-commits] subtitle: Fix potential heap buffer overflow

[Hugo Beauzée-Luyssen]

vlc | branch: master | Hugo Beauzée-Luyssen <hugo at beauzee.fr> | Fri Apr 28 10:00:11 2017 +0200| [611398fc8d32f3fe4331f60b220c52ba3557beaa] | committer: Hugo Beauzée-Luyssen

subtitle: Fix potential heap buffer overflow

Reported-by: Yannay Livneh <yannayl at checkpoint.com>
             Omri Herscovici <omrih at checkpoint.com>
             Omer Gull <omergu at checkpoint.com>

> http://git.videolan.org/gitweb.cgi/vlc.git/?a=commit;h=611398fc8d32f3fe4331f60b220c52ba3557beaa
---

 modules/demux/subtitle.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/modules/demux/subtitle.c b/modules/demux/subtitle.c
index 2a75fbfb7c..5e4fcdb7f2 100644
--- a/modules/demux/subtitle.c
+++ b/modules/demux/subtitle.c
@@ -1709,7 +1709,8 @@ static int ParseJSS( vlc_object_t *p_obj, subs_properties_t *p_props,
         if( !s )
             return VLC_EGENERIC;
 
-        psz_orig = malloc( strlen( s ) + 1 );
+        size_t line_length = strlen( s );
+        psz_orig = malloc( line_length + 1 );
         if( !psz_orig )
             return VLC_ENOMEM;
         psz_text = psz_orig;
@@ -1749,6 +1750,8 @@ static int ParseJSS( vlc_object_t *p_obj, subs_properties_t *p_props,
             {
             case 'S':
                  shift = isalpha( (unsigned char)psz_text[2] ) ? 6 : 2 ;
+                 if ( shift > line_length )
+                     continue;
 
                  if( sscanf( &psz_text[shift], "%d", &h ) )
                  {
@@ -1786,6 +1789,8 @@ static int ParseJSS( vlc_object_t *p_obj, subs_properties_t *p_props,
 
             case 'T':
                 shift = isalpha( (unsigned char)psz_text[2] ) ? 8 : 2 ;
+                if ( shift > line_length )
+                    continue;
 
                 sscanf( &psz_text[shift], "%d", &p_props->jss.i_time_resolution );
                 break;