[vlc-devel] Security: Subtitle StripTags heap corruption, potentially exploitable. Patch included

Rémi Denis-Courmont remi at remlab.net
Sun Jan 16 18:27:09 CET 2011

Le dimanche 16 janvier 2011 12:58:17 Harry Sintonen, vous avez écrit :
> Assuming the input string contains a '<' char but doesn't include the
> terminating '>' the routine will run past end of the string termination.
> It happens because of psz_subtitle += strcspn( psz_subtitle, ">" ); in
> combination with psz_subtitle++; will advance psz_subtitle past the string
> termination. Bytes after the string termination will be copied to the
> destination buffer, smashing the heap.

And this wouldn't happen if developers were using the dedicated XML functions 
from <vlc_xml.h>. I am fed up with this; this kind of code is barely excusable 
in our ASX parser because it is so old. There was no excuse for writing that 
kind of crap in 2007 however. Nothing to add.

Don't count on me to fix these. I think I have already done more than my share 
of VLC cleanup over the past few years.

Rémi Denis-Courmont

More information about the vlc-devel mailing list