[FFmpeg-devel] [PATCH] Fix memory corruption in srt_to_ass (subtitle decoder)
Alexandre Colucci
alexandre at elgato.com
Fri Mar 25 09:34:25 CET 2011
> On Thu, Mar 24, 2011 at 05:17:56PM +0100, Alexandre Colucci wrote:
>>
>> Hi,
>>
>> The function srt_to_ass uses sscanf() with the conversion '%128[]'
>> to parse srt data. The conversion '%128[]' requires a buffer that
>> (in sscanf man page):
>> "must be a pointer to char, and there must be enough room for all
>> the characters in the string, plus a terminating NUL character."
>>
>> Currently the buffer can only contain 128 characters but the sscanf
>> call requires 128 + 1 (NUL character) = 129 characters.
>> This sscanf call led in some cases to a memory corruption and can
>> cause a crash. The proposed patch consists of increasing the size
>> of the buffer.
>
> Good catch !
> Fixed by dropping the maximum string length to 127.
> Thanks for the report.
>
> BTW, did you notice this with an actual subtitle file, or with a
> crafted/fuzzed file ?
> If this happens with actual files, we should probably increase
> buffer size so that we don't truncate the string.
> Sample file welcome.
>
> Aurel
> _______________________________________________
> ffmpeg-devel mailing list
> ffmpeg-devel at ffmpeg.org
> http://ffmpeg.org/mailman/listinfo/ffmpeg-devel
>
I noticed this issue when doing some tests. So far the maximum string length I saw in actual subtitle files was 55. So 127 should be fine in all the cases.
Alexandre
More information about the ffmpeg-devel
mailing list