Skip to content

V
vlc
Commit a8a08ded authored by Laurent Aimar's avatar Laurent Aimar
Browse files
Options

Fixed a lot of potential segfaults on invalid vobsub index.

parent 057ef608
Hide whitespace changes
Inline Side-by-side
Showing with 43 additions and 18 deletions
modules/demux/vobsub.c
View file @ a8a08ded
......@@ -351,11 +351,11 @@ static int Demux( demux_t *p_demux )
if( tk.i_current_subtitle >= tk.i_subtitles )
continue;
i_maxdate = (int64_t) p_sys->i_next_demux_date;
i_maxdate = p_sys->i_next_demux_date;
if( i_maxdate <= 0 && tk.i_current_subtitle < tk.i_subtitles )
{
/* Should not happen */
i_maxdate = (int64_t) tk.p_subtitles[tk.i_current_subtitle].i_start + 1;
i_maxdate = tk.p_subtitles[tk.i_current_subtitle].i_start + 1;
}
while( tk.i_current_subtitle < tk.i_subtitles &&
......@@ -424,6 +424,8 @@ static int TextLoad( text_t *txt, stream_t *s )
txt->i_line_count = 0;
txt->i_line = 0;
txt->line = calloc( i_line_max, sizeof( char * ) );
if( !txt->line )
return VLC_EGENERIC;
/* load the complete file */
for( ;; )
......@@ -436,8 +438,15 @@ static int TextLoad( text_t *txt, stream_t *s )
txt->line[txt->i_line_count++] = psz;
if( txt->i_line_count >= i_line_max )
{
char **ppsz_old = txt->line;
i_line_max += 100;
txt->line = realloc( txt->line, i_line_max * sizeof( char*) );
if( !txt->line )
{
free( ppsz_old );
break;
}
}
}
......@@ -474,7 +483,7 @@ static int ParseVobSubIDX( demux_t *p_demux )
demux_sys_t *p_sys = p_demux->p_sys;
text_t *txt = &p_sys->txt;
char *line;
vobsub_track_t *current_tk;
vobsub_track_t *current_tk = NULL;
for( ;; )
{
......@@ -484,7 +493,9 @@ static int ParseVobSubIDX( demux_t *p_demux )
}
if( *line == 0 || *line == '\r' || *line == '\n' || *line == '#' )
{
continue;
}
else if( !strncmp( "size:", line, 5 ) )
{
/* Store the original size of the video */
......@@ -546,14 +557,14 @@ static int ParseVobSubIDX( demux_t *p_demux )
language, &i_track_id ) == 2 )
{
p_sys->i_tracks++;
p_sys->track = (vobsub_track_t*)realloc( p_sys->track, sizeof( vobsub_track_t ) * (p_sys->i_tracks + 1 ) );
p_sys->track = realloc( p_sys->track, sizeof( vobsub_track_t ) * (p_sys->i_tracks + 1 ) );
/* Init the track */
current_tk = &p_sys->track[p_sys->i_tracks - 1];
memset( current_tk, 0, sizeof( vobsub_track_t ) );
current_tk->i_current_subtitle = 0;
current_tk->i_subtitles = 0;
current_tk->p_subtitles = (subtitle_t*)malloc( sizeof( subtitle_t ) );;
current_tk->p_subtitles = malloc( sizeof( subtitle_t ) );;
current_tk->i_track_id = i_track_id;
current_tk->i_delay = (int64_t)0;
......@@ -585,11 +596,11 @@ static int ParseVobSubIDX( demux_t *p_demux )
int i_sign = 1;
int64_t i_start, i_location = 0;
vobsub_track_t *current_tk = &p_sys->track[p_sys->i_tracks - 1];
if( sscanf( line, "timestamp: %d%n:%d:%d:%d, filepos: %x",
if( p_sys->i_tracks > 0 &&
sscanf( line, "timestamp: %d%n:%d:%d:%d, filepos: %x",
&h, &count, &m, &s, &ms, &loc ) >= 5 )
{
vobsub_track_t *current_tk = &p_sys->track[p_sys->i_tracks - 1];
subtitle_t *current_sub;
if( line[count-3] == '-' )
......@@ -604,13 +615,17 @@ static int ParseVobSubIDX( demux_t *p_demux )
i_location = loc;
current_tk->i_subtitles++;
current_tk->p_subtitles = (subtitle_t*)realloc( current_tk->p_subtitles, sizeof( subtitle_t ) * (current_tk->i_subtitles + 1 ) );
current_tk->p_subtitles = realloc( current_tk->p_subtitles, sizeof( subtitle_t ) * (current_tk->i_subtitles + 1 ) );
current_sub = &current_tk->p_subtitles[current_tk->i_subtitles - 1];
current_sub->i_start = (int64_t) i_start * i_sign;
current_sub->i_start = i_start * i_sign;
current_sub->i_start += current_tk->i_delay;
current_sub->i_vobsub_location = i_location;
}
else
{
msg_Warn( p_demux, "reading timestamp failed" );
}
}
else if( !strncasecmp( line, "delay:", 6 ) )
{
......@@ -621,11 +636,11 @@ static int ParseVobSubIDX( demux_t *p_demux )
int i_sign = 1;
int64_t i_gap = 0;
vobsub_track_t *current_tk = &p_sys->track[p_sys->i_tracks - 1];
if( sscanf( line, "%*celay: %d%n:%d:%d:%d",
if( p_sys->i_tracks > 0 &&
sscanf( line, "%*celay: %d%n:%d:%d:%d",
&h, &count, &m, &s, &ms ) >= 4 )
{
vobsub_track_t *current_tk = &p_sys->track[p_sys->i_tracks - 1];
if( line[count-3] == '-' )
{
i_sign = -1;
......@@ -641,6 +656,10 @@ static int ParseVobSubIDX( demux_t *p_demux )
i_sign, (long long)i_gap,
(long long)current_tk->i_delay );
}
else
{
msg_Warn( p_demux, "reading delay failed" );
}
}
}
return( 0 );
......@@ -653,7 +672,7 @@ static int DemuxVobSub( demux_t *p_demux, block_t *p_bk )
uint8_t *p_end = &p_bk->p_buffer[p_bk->i_buffer];
int i;
while( p < p_end )
while( p + 6 < p_end )
{
int i_size = ps_pkt_size( p, p_end - p );
block_t *p_pkt;
......@@ -661,9 +680,14 @@ static int DemuxVobSub( demux_t *p_demux, block_t *p_bk )
int i_spu;
if( i_size <= 0 )
break;
if( i_size > p_end - p )
{
msg_Warn( p_demux, "broken PES size" );
break;
}
if( p[0] != 0 || p[1] != 0 || p[2] != 0x01 )
{
msg_Warn( p_demux, "invalid PES" );
......@@ -694,13 +718,14 @@ static int DemuxVobSub( demux_t *p_demux, block_t *p_bk )
for( i = 0; i < p_sys->i_tracks; i++ )
{
#define tk p_sys->track[i]
vobsub_track_t *p_tk = &p_sys->track[i];
p_pkt->i_dts = p_pkt->i_pts = p_bk->i_pts;
p_pkt->i_length = 0;
if( tk.p_es && tk.i_track_id == i_spu )
if( p_tk->p_es && p_tk->i_track_id == i_spu )
{
es_out_Send( p_demux->out, tk.p_es, p_pkt );
es_out_Send( p_demux->out, p_tk->p_es, p_pkt );
p_bk->i_pts = 0; /*only first packet has a pts */
break;
}
......@@ -708,9 +733,9 @@ static int DemuxVobSub( demux_t *p_demux, block_t *p_bk )
{
block_Release( p_pkt );
}
#undef tk
}
}
return VLC_SUCCESS;
}
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment