[vlc-commits] svcdsub: Fix potential buffer overrun

Zinuo Han git at videolan.org
Thu May 23 17:40:45 CEST 2019 

vlc/vlc-3.0 | branch: master | Zinuo Han <ele7enxxh at gmail.com> | Mon Apr  1 11:44:26 2019 +0200| [9ea95ee8c85d839d5482cc9876a8df4d299fd741] | committer: Hugo Beauzée-Luyssen

svcdsub: Fix potential buffer overrun

https://hackerone.com/reports/504722

Signed-off-by: Hugo Beauzée-Luyssen <hugo at beauzee.fr>
(cherry picked from commit 3d2507c632003920484098e05fb21736a4c9956d)
Signed-off-by: Hugo Beauzée-Luyssen <hugo at beauzee.fr>

> http://git.videolan.org/gitweb.cgi/vlc/vlc-3.0.git/?a=commit;h=9ea95ee8c85d839d5482cc9876a8df4d299fd741
---

 modules/codec/svcdsub.c | 25 +++++++++++++++++++++++--
 1 file changed, 23 insertions(+), 2 deletions(-)

diff --git a/modules/codec/svcdsub.c b/modules/codec/svcdsub.c
index e509effdbc..6be8a43c02 100644
--- a/modules/codec/svcdsub.c
+++ b/modules/codec/svcdsub.c
@@ -362,18 +362,30 @@ static void ParseHeader( decoder_t *p_dec, block_t *p_block )
 {
     decoder_sys_t *p_sys = p_dec->p_sys;
     uint8_t *p = p_block->p_buffer;
+    size_t i_buffer = p_block->i_buffer;
     uint8_t i_options, i_cmd;
     int i;
 
+    if (i_buffer < 4) return;
+
     p_sys->i_spu_size = GETINT16(p);
     i_options  = *p++;
     // Skip over unused value
     p++;
 
-    if( i_options & 0x08 ) { p_sys->i_duration = GETINT32(p); }
+    i_buffer -= 4;
+
+    if( i_options & 0x08 ) {
+      if (i_buffer < 4) return;
+      p_sys->i_duration = GETINT32(p);
+      p += 4;
+      i_buffer -= 4;
+    }
     else p_sys->i_duration = 0; /* Ephemer subtitle */
     p_sys->i_duration *= 100 / 9;
 
+    if (i_buffer < 25) return;
+
     p_sys->i_x_start = GETINT16(p);
     p_sys->i_y_start = GETINT16(p);
     p_sys->i_width   = GETINT16(p);
@@ -388,12 +400,21 @@ static void ParseHeader( decoder_t *p_dec, block_t *p_block )
     }
 
     i_cmd = *p++;
+
+    i_buffer -= 25;
+
     /* We do not really know this, FIXME */
-    if( i_cmd ) { p += 4; }
+    if( i_cmd ) {
+      if (i_buffer < 4) return;
+      p += 4;
+      i_buffer -= 4;
+    }
 
     /* Actually, this is measured against a different origin, so we have to
      * adjust it */
+    if (i_buffer < 2) return;
     p_sys->second_field_offset = GETINT16(p);
+    i_buffer -= 2;
     p_sys->i_image_offset  = p - p_block->p_buffer;
     p_sys->i_image_length  = p_sys->i_spu_size - p_sys->i_image_offset;
     p_sys->metadata_length = p_sys->i_image_offset;

More information about the vlc-commits mailing list