[vlc-commits] [Git][videolan/vlc][master] 2 commits: codec: webvtt: reject negative values in webvtt_scan_time

Steve Lhomme (@robUx4) gitlab at videolan.org
Sat Apr 4 08:56:15 UTC 2026 


Steve Lhomme pushed to branch master at VideoLAN / VLC


Commits:
b93d04ba by Ahmed Sobhy at 2026-04-04T08:42:44+00:00
codec: webvtt: reject negative values in webvtt_scan_time
Validate that the time components are non-negative

- - - - -
943a3756 by Ahmed Sobhy at 2026-04-04T08:42:44+00:00
codec: webvtt: fix integer overflow in webvtt_scan_time
Use int32_t with SCNd32 when scanning timestamp components, preventing overflow when computing seconds in 64-bit int

- - - - -


1 changed file:

- modules/codec/webvtt/webvtt.c


Changes:

=====================================
modules/codec/webvtt/webvtt.c
=====================================
@@ -90,25 +90,31 @@ struct webvtt_text_parser_t
     webvtt_cue_t *p_cue;
 };
 
-static vlc_tick_t MakeTime( int t[4] )
+static vlc_tick_t MakeTime( int32_t t[4] )
 {
-    return vlc_tick_from_sec( t[0] * 3600 + t[1] * 60 + t[2] ) +
+    return vlc_tick_from_sec( (int64_t)t[0] * 3600 + t[1] * 60 + t[2] ) +
            VLC_TICK_FROM_MS(t[3]);
 }
 
 bool webvtt_scan_time( const char *psz, vlc_tick_t *p_time )
 {
-    int t[4];
-    if( sscanf( psz, "%2d:%2d.%3d",
+    int32_t t[4];
+    if( sscanf( psz, "%2" SCNd32 ":%2" SCNd32 ".%3" SCNd32,
                       &t[1], &t[2], &t[3] ) == 3 )
     {
         t[0] = 0;
+        if( t[1] < 0 || t[2] < 0 || t[3] < 0 )
+            return false;
+
         *p_time = MakeTime( t );
         return true;
     }
-    else if( sscanf( psz, "%d:%2d:%2d.%3d",
+    else if( sscanf( psz, "%" SCNd32 ":%2" SCNd32 ":%2" SCNd32 ".%3" SCNd32,
                           &t[0], &t[1], &t[2], &t[3] ) == 4 )
     {
+        if( t[0] < 0 || t[1] < 0 || t[2] < 0 || t[3] < 0 )
+            return false;
+
         *p_time = MakeTime( t );
         return true;
     }



View it on GitLab: https://code.videolan.org/videolan/vlc/-/compare/f56c6128cd990735489f9af1a0506d04a7669ccf...943a37568988534271ec8e58625cd606c5a7f1a0

-- 
View it on GitLab: https://code.videolan.org/videolan/vlc/-/compare/f56c6128cd990735489f9af1a0506d04a7669ccf...943a37568988534271ec8e58625cd606c5a7f1a0
You're receiving this email because of your account on code.videolan.org.

More information about the vlc-commits mailing list