ffmpeg | branch: release/3.2 | Kevin Backhouse via RT <[email protected]> | Wed Feb 6 12:56:01 2019 +0000| [273f2755ce8635d42da3cde0eeba15b2e7842774] | committer: Michael Niedermayer
avcodec/htmlsubtitles: Fixes denial of service due to use of sscanf in inner loop for handling braces Fixes: [Semmle Security Reports #19439] Fixes: dos_sscanf2.mkv Signed-off-by: Michael Niedermayer <[email protected]> (cherry picked from commit 894995c41e0795c7a44f81adc4838dedc3932e65) Signed-off-by: Michael Niedermayer <[email protected]> > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=273f2755ce8635d42da3cde0eeba15b2e7842774 --- libavcodec/htmlsubtitles.c | 24 +++++++++++++++++++++--- 1 file changed, 21 insertions(+), 3 deletions(-) diff --git a/libavcodec/htmlsubtitles.c b/libavcodec/htmlsubtitles.c index 80d0f40553..7b493c8369 100644 --- a/libavcodec/htmlsubtitles.c +++ b/libavcodec/htmlsubtitles.c @@ -22,6 +22,7 @@ #include "libavutil/common.h" #include "libavutil/parseutils.h" #include "htmlsubtitles.h" +#include <ctype.h> static int html_color_parse(void *log_ctx, const char *str) { @@ -52,6 +53,25 @@ static void rstrip_spaces_buf(AVBPrint *buf) } /* + * Fast code for scanning text enclosed in braces. Functionally + * equivalent to this sscanf call: + * + * sscanf(in, "{\\an%*1u}%n", &len) >= 0 && len > 0 + */ +static int scanbraces(const char* in) { + if (strncmp(in, "{\\an", 4) != 0) { + return 0; + } + if (!isdigit(in[4])) { + return 0; + } + if (in[5] != '}') { + return 0; + } + return 1; +} + +/* * Fast code for scanning the rest of a tag. Functionally equivalent to * this sscanf call: * @@ -110,9 +130,7 @@ int ff_htmlmarkup_to_ass(void *log_ctx, AVBPrint *dst, const char *in) break; case '{': /* skip all {\xxx} substrings except for {\an%d} and all microdvd like styles such as {Y:xxx} */ - len = 0; - an += sscanf(in, "{\\an%*1u}%n", &len) >= 0 && len > 0; - + an += scanbraces(in); if (!closing_brace_missing) { if ( (an != 1 && in[1] == '\\') || (in[1] && strchr("CcFfoPSsYy", in[1]) && in[2] == ':')) { _______________________________________________ ffmpeg-cvslog mailing list [email protected] https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog To unsubscribe, visit link above, or email [email protected] with subject "unsubscribe".
