Fixed a lot of potential segfaults on invalid vobsub index.

a8a08ded · Laurent Aimar · 057ef608 · a8a08ded
Commit a8a08ded authored Sep 30, 2008 by Laurent Aimar
Hide whitespace changes
Inline Side-by-side

Showing with 43 additions and 18 deletions

modules/demux/vobsub.c modules/demux/vobsub.c +43 -18

No files found.
--- a/modules/demux/vobsub.c
+++ b/modules/demux/vobsub.c
@@ -351,11 +351,11 @@ static int Demux( demux_t *p_demux )
        if( tk.i_current_subtitle >= tk.i_subtitles )
            continue;
-        i_maxdate = (int64_t) p_sys->i_next_demux_date;
+        i_maxdate = p_sys->i_next_demux_date;
        if( i_maxdate <= 0 && tk.i_current_subtitle < tk.i_subtitles )
        {
            /* Should not happen */
-            i_maxdate = (int64_t) tk.p_subtitles[tk.i_current_subtitle].i_start + 1;
+            i_maxdate = tk.p_subtitles[tk.i_current_subtitle].i_start + 1;
        }
        while( tk.i_current_subtitle < tk.i_subtitles &&
@@ -424,6 +424,8 @@ static int TextLoad( text_t *txt, stream_t *s )
    txt->i_line_count   = 0;
    txt->i_line         = 0;
    txt->line           = calloc( i_line_max, sizeof( char * ) );
+    if( !txt->line )
+        return VLC_EGENERIC;
    /* load the complete file */
    for( ;; )
@@ -436,8 +438,15 @@ static int TextLoad( text_t *txt, stream_t *s )
        txt->line[txt->i_line_count++] = psz;
        if( txt->i_line_count >= i_line_max )
        {
+            char **ppsz_old = txt->line;
            i_line_max += 100;
            txt->line = realloc( txt->line, i_line_max * sizeof( char*) );
+            if( !txt->line )
+            {
+                free( ppsz_old );
+                break;
+            }
        }
    }
@@ -474,7 +483,7 @@ static int ParseVobSubIDX( demux_t *p_demux )
    demux_sys_t *p_sys = p_demux->p_sys;
    text_t      *txt = &p_sys->txt;
    char        *line;
-    vobsub_track_t *current_tk;
+    vobsub_track_t *current_tk = NULL;
    for( ;; )
    {
@@ -484,7 +493,9 @@ static int ParseVobSubIDX( demux_t *p_demux )
        }
        if( *line == 0 || *line == '\r' || *line == '\n' || *line == '#' )
+        {
            continue;
+        }
        else if( !strncmp( "size:", line, 5 ) )
        {
            /* Store the original size of the video */
@@ -546,14 +557,14 @@ static int ParseVobSubIDX( demux_t *p_demux )
                        language, &i_track_id ) == 2 )
            {
                p_sys->i_tracks++;
-                p_sys->track = (vobsub_track_t*)realloc( p_sys->track, sizeof( vobsub_track_t ) * (p_sys->i_tracks + 1 ) );
+                p_sys->track = realloc( p_sys->track, sizeof( vobsub_track_t ) * (p_sys->i_tracks + 1 ) );
                /* Init the track */
                current_tk = &p_sys->track[p_sys->i_tracks - 1];
                memset( current_tk, 0, sizeof( vobsub_track_t ) );
                current_tk->i_current_subtitle = 0;
                current_tk->i_subtitles = 0;
-                current_tk->p_subtitles = (subtitle_t*)malloc( sizeof( subtitle_t ) );;
+                current_tk->p_subtitles = malloc( sizeof( subtitle_t ) );;
                current_tk->i_track_id = i_track_id;
                current_tk->i_delay = (int64_t)0;
@@ -585,11 +596,11 @@ static int ParseVobSubIDX( demux_t *p_demux )
            int i_sign = 1;
            int64_t i_start, i_location = 0;
-            vobsub_track_t *current_tk = &p_sys->track[p_sys->i_tracks - 1];
+            if( p_sys->i_tracks > 0 &&
+                sscanf( line, "timestamp: %d%n:%d:%d:%d, filepos: %x",
-            if( sscanf( line, "timestamp: %d%n:%d:%d:%d, filepos: %x",
                        &h, &count, &m, &s, &ms, &loc ) >= 5  )
            {
+                vobsub_track_t *current_tk = &p_sys->track[p_sys->i_tracks - 1];
                subtitle_t *current_sub;
                if( line[count-3] == '-' )
@@ -604,13 +615,17 @@ static int ParseVobSubIDX( demux_t *p_demux )
                i_location = loc;
                current_tk->i_subtitles++;
-                current_tk->p_subtitles = (subtitle_t*)realloc( current_tk->p_subtitles, sizeof( subtitle_t ) * (current_tk->i_subtitles + 1 ) );
+                current_tk->p_subtitles = realloc( current_tk->p_subtitles, sizeof( subtitle_t ) * (current_tk->i_subtitles + 1 ) );
                current_sub = &current_tk->p_subtitles[current_tk->i_subtitles - 1];
-                current_sub->i_start = (int64_t) i_start * i_sign;
+                current_sub->i_start = i_start * i_sign;
                current_sub->i_start += current_tk->i_delay;
                current_sub->i_vobsub_location = i_location;
            }
+            else
+            {
+                msg_Warn( p_demux, "reading timestamp failed" );
+            }
        }
        else if( !strncasecmp( line, "delay:", 6 ) )
        {
@@ -621,11 +636,11 @@ static int ParseVobSubIDX( demux_t *p_demux )
            int i_sign = 1;
            int64_t i_gap = 0;
-            vobsub_track_t *current_tk = &p_sys->track[p_sys->i_tracks - 1];
+            if( p_sys->i_tracks > 0 &&
+                sscanf( line, "%*celay: %d%n:%d:%d:%d",
-            if( sscanf( line, "%*celay: %d%n:%d:%d:%d",
                        &h, &count, &m, &s, &ms ) >= 4 )
            {
+                vobsub_track_t *current_tk = &p_sys->track[p_sys->i_tracks - 1];
                if( line[count-3] == '-' )
                {
                    i_sign = -1;
@@ -641,6 +656,10 @@ static int ParseVobSubIDX( demux_t *p_demux )
                         i_sign, (long long)i_gap,
                         (long long)current_tk->i_delay  );
            }
+            else
+            {
+                msg_Warn( p_demux, "reading delay failed" );
+            }
        }
    }
    return( 0 );
@@ -653,7 +672,7 @@ static int DemuxVobSub( demux_t *p_demux, block_t *p_bk )
    uint8_t     *p_end = &p_bk->p_buffer[p_bk->i_buffer];
    int i;
-    while( p < p_end )
+    while( p + 6 < p_end )
    {
        int i_size = ps_pkt_size( p, p_end - p );
        block_t *p_pkt;
@@ -661,9 +680,14 @@ static int DemuxVobSub( demux_t *p_demux, block_t *p_bk )
        int      i_spu;
        if( i_size <= 0 )
+            break;
+        if( i_size > p_end - p )
        {
+            msg_Warn( p_demux, "broken PES size" );
            break;
        }
        if( p[0] != 0 || p[1] != 0 || p[2] != 0x01 )
        {
            msg_Warn( p_demux, "invalid PES" );
@@ -694,13 +718,14 @@ static int DemuxVobSub( demux_t *p_demux, block_t *p_bk )
        for( i = 0; i < p_sys->i_tracks; i++ )
        {
-#define tk p_sys->track[i]
+            vobsub_track_t *p_tk = &p_sys->track[i];
            p_pkt->i_dts = p_pkt->i_pts = p_bk->i_pts;
            p_pkt->i_length = 0;
-            if( tk.p_es && tk.i_track_id == i_spu )
+            if( p_tk->p_es && p_tk->i_track_id == i_spu )
            {
-                es_out_Send( p_demux->out, tk.p_es, p_pkt );
+                es_out_Send( p_demux->out, p_tk->p_es, p_pkt );
                p_bk->i_pts = 0;     /*only first packet has a pts */
                break;
            }
@@ -708,9 +733,9 @@ static int DemuxVobSub( demux_t *p_demux, block_t *p_bk )
            {
                block_Release( p_pkt );
            }
-#undef tk
        }
    }
    return VLC_SUCCESS;
 }