Skip to content

V
vlc
Commit 94baded6 authored by Rafaël Carré's avatar Rafaël Carré
Browse files
Options

Fix yet another buffer overflow in ParseSSA() 

Remember *scanf() is lame
parent f0b998ef
Hide whitespace changes
Inline Side-by-side
Showing with 8 additions and 7 deletions
modules/demux/subtitle.c
View file @ 94baded6
...@@ -2,7 +2,7 @@ ...@@ -2,7 +2,7 @@
* subtitle.c: Demux for subtitle text files. * subtitle.c: Demux for subtitle text files.
***************************************************************************** *****************************************************************************
* Copyright (C) 1999-2004 the VideoLAN team * Copyright (C) 1999-2004 the VideoLAN team
* $Id$ * $Id: 6990562ea05f756333a9a79d2d41a4dcc407331c $
* *
* Authors: Laurent Aimar <fenrir@via.ecp.fr> * Authors: Laurent Aimar <fenrir@via.ecp.fr>
* Derk-Jan Hartman <hartman at videolan dot org> * Derk-Jan Hartman <hartman at videolan dot org>
...@@ -686,6 +686,7 @@ static void TextPreviousLine( text_t *txt ) ...@@ -686,6 +686,7 @@ static void TextPreviousLine( text_t *txt )
* Specific Subtitle function * Specific Subtitle function
*****************************************************************************/ *****************************************************************************/
#define MAX_LINE 8192 #define MAX_LINE 8192
#define MAX_LINE_STR "8192" /* used in *scanf() regexps */
static int ParseMicroDvd( demux_t *p_demux, subtitle_t *p_subtitle ) static int ParseMicroDvd( demux_t *p_demux, subtitle_t *p_subtitle )
{ {
demux_sys_t *p_sys = p_demux->p_sys; demux_sys_t *p_sys = p_demux->p_sys;
...@@ -722,9 +723,9 @@ next: ...@@ -722,9 +723,9 @@ next:
i_start = 0; i_start = 0;
i_stop = 0; i_stop = 0;
memset( buffer_text, '\0', MAX_LINE ); memset( buffer_text, '\0', MAX_LINE + 1 );
if( sscanf( s, "{%d}{}%8192[^\r\n]", &i_start, buffer_text ) == 2 || if( sscanf( s, "{%d}{}%"MAX_LINE_STR"[^\r\n]", &i_start, buffer_text ) == 2 ||
sscanf( s, "{%d}{%d}%8192[^\r\n]", &i_start, &i_stop, buffer_text ) == 3) sscanf( s, "{%d}{%d}%"MAX_LINE_STR"[^\r\n]", &i_start, &i_stop, buffer_text ) == 3)
{ {
break; break;
} }
...@@ -981,7 +982,7 @@ static int ParseSSA( demux_t *p_demux, subtitle_t *p_subtitle ) ...@@ -981,7 +982,7 @@ static int ParseSSA( demux_t *p_demux, subtitle_t *p_subtitle )
* Dialogue: Layer#,0:02:40.65,0:02:41.79,Wolf main,Cher,0000,0000,0000,,Et les enregistrements de ses ondes delta ? * Dialogue: Layer#,0:02:40.65,0:02:41.79,Wolf main,Cher,0000,0000,0000,,Et les enregistrements de ses ondes delta ?
*/ */
if( sscanf( s, if( sscanf( s,
"Dialogue: %[^,],%d:%d:%d.%d,%d:%d:%d.%d,%81920[^\r\n]", "Dialogue: %"MAX_LINE_STR"0[^,],%d:%d:%d.%d,%d:%d:%d.%d,%"MAX_LINE_STR"0[^\r\n]",
buffer_text2, buffer_text2,
&h1, &m1, &s1, &c1, &h1, &m1, &s1, &c1,
&h2, &m2, &s2, &c2, &h2, &m2, &s2, &c2,
...@@ -1074,8 +1075,8 @@ static int ParseVplayer( demux_t *p_demux, subtitle_t *p_subtitle ) ...@@ -1074,8 +1075,8 @@ static int ParseVplayer( demux_t *p_demux, subtitle_t *p_subtitle )
i_start = 0; i_start = 0;
memset( buffer_text, '\0', MAX_LINE ); memset( buffer_text, '\0', MAX_LINE + 1 );
if( sscanf( p, "%d:%d:%d%[ :]%81920[^\r\n]", &h, &m, &s, &c, buffer_text ) == 5 ) if( sscanf( p, "%d:%d:%d%[ :]%"MAX_LINE_STR"0[^\r\n]", &h, &m, &s, &c, buffer_text ) == 5 )
{ {
i_start = ( (int64_t)h * 3600*1000 + i_start = ( (int64_t)h * 3600*1000 +
(int64_t)m * 60*1000 + (int64_t)m * 60*1000 +
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment