[vlc-devel] Security: Subtitle StripTags heap corruption, potentially exploitable. Patch included
Rémi Denis-Courmont
remi at remlab.net
Sun Jan 16 18:27:09 CET 2011
Le dimanche 16 janvier 2011 12:58:17 Harry Sintonen, vous avez écrit :
> Assuming the input string contains a '<' char but doesn't include the
> terminating '>' the routine will run past end of the string termination.
> It happens because of psz_subtitle += strcspn( psz_subtitle, ">" ); in
> combination with psz_subtitle++; will advance psz_subtitle past the string
> termination. Bytes after the string termination will be copied to the
> destination buffer, smashing the heap.
And this wouldn't happen if developers were using the dedicated XML functions
from <vlc_xml.h>. I am fed up with this; this kind of code is barely excusable
in our ASX parser because it is so old. There was no excuse for writing that
kind of crap in 2007 however. Nothing to add.
Don't count on me to fix these. I think I have already done more than my share
of VLC cleanup over the past few years.
--
Rémi Denis-Courmont
http://www.remlab.net/
http://fi.linkedin.com/in/remidenis
More information about the vlc-devel
mailing list