[vlc-commits] subtitle: Fix potential heap buffer overflow
Hugo Beauzée-Luyssen
git at videolan.org
Thu May 18 16:11:20 CEST 2017
vlc/vlc-2.2 | branch: master | Hugo Beauzée-Luyssen <hugo at beauzee.fr> | Fri Apr 28 10:00:11 2017 +0200| [aef4ee7f141439921d31ea21bc5700436cb3fb51] | committer: Hugo Beauzée-Luyssen
subtitle: Fix potential heap buffer overflow
Reported-by: Yannay Livneh <yannayl at checkpoint.com>
Omri Herscovici <omrih at checkpoint.com>
Omer Gull <omergu at checkpoint.com>
(cherry picked from commit 611398fc8d32f3fe4331f60b220c52ba3557beaa)
Signed-off-by: Hugo Beauzée-Luyssen <hugo at beauzee.fr>
> http://git.videolan.org/gitweb.cgi/vlc/vlc-2.2.git/?a=commit;h=aef4ee7f141439921d31ea21bc5700436cb3fb51
---
modules/demux/subtitle.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/modules/demux/subtitle.c b/modules/demux/subtitle.c
index 3e790fd307..05c69884ac 100644
--- a/modules/demux/subtitle.c
+++ b/modules/demux/subtitle.c
@@ -1687,7 +1687,8 @@ static int ParseJSS( demux_t *p_demux, subtitle_t *p_subtitle, int i_idx )
if( !s )
return VLC_EGENERIC;
- psz_orig = malloc( strlen( s ) + 1 );
+ size_t line_length = strlen( s );
+ psz_orig = malloc( line_length + 1 );
if( !psz_orig )
return VLC_ENOMEM;
psz_text = psz_orig;
@@ -1727,6 +1728,8 @@ static int ParseJSS( demux_t *p_demux, subtitle_t *p_subtitle, int i_idx )
{
case 'S':
shift = isalpha( (unsigned char)psz_text[2] ) ? 6 : 2 ;
+ if ( shift > line_length )
+ continue;
if( sscanf( &psz_text[shift], "%d", &h ) )
{
@@ -1764,6 +1767,8 @@ static int ParseJSS( demux_t *p_demux, subtitle_t *p_subtitle, int i_idx )
case 'T':
shift = isalpha( (unsigned char)psz_text[2] ) ? 8 : 2 ;
+ if ( shift > line_length )
+ continue;
sscanf( &psz_text[shift], "%d", &p_sys->jss.i_time_resolution );
break;
More information about the vlc-commits
mailing list