[FFmpeg-cvslog] mkv: Validate ASS Start and End fields

Fri Dec 5 23:39:22 CET 2014

ffmpeg | branch: master | Luca Barbato <lu_zero at gentoo.org> | Wed Oct 29 20:39:46 2014 +0100| [69c1fe7c9c9bc85eebfc02c6a19caf7e88cd74ff] | committer: Vittorio Giovara

mkv: Validate ASS Start and End fields

CC: libav-stable at libav.org

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=69c1fe7c9c9bc85eebfc02c6a19caf7e88cd74ff
---

 libavformat/matroskaenc.c |   21 +++++++++++++++++++--
 1 file changed, 19 insertions(+), 2 deletions(-)

diff --git a/libavformat/matroskaenc.c b/libavformat/matroskaenc.c
index 4ec474d..8a7cfa1 100644
--- a/libavformat/matroskaenc.c
+++ b/libavformat/matroskaenc.c
@@ -1227,7 +1227,7 @@ static int mkv_blockgroup_size(int pkt_size)
     return size;
 }
 
-static int ass_get_duration(const uint8_t *p)
+static int ass_get_duration(AVFormatContext *s, const uint8_t *p)
 {
     int sh, sm, ss, sc, eh, em, es, ec;
     uint64_t start, end;
@@ -1235,8 +1235,25 @@ static int ass_get_duration(const uint8_t *p)
     if (sscanf(p, "%*[^,],%d:%d:%d%*c%d,%d:%d:%d%*c%d",
                &sh, &sm, &ss, &sc, &eh, &em, &es, &ec) != 8)
         return 0;
+
+    if (sh > 9 || sm > 59 || ss > 59 || sc > 99 ||
+        eh > 9 || em > 59 || es > 59 || ec > 99) {
+        av_log(s, AV_LOG_WARNING,
+               "Non-standard time reference %d:%d:%d.%d,%d:%d:%d.%d\n",
+               sh, sm, ss, sc, eh, em, es, ec);
+        return 0;
+    }
+
     start = 3600000 * sh + 60000 * sm + 1000 * ss + 10 * sc;
     end   = 3600000 * eh + 60000 * em + 1000 * es + 10 * ec;
+
+    if (start > end) {
+        av_log(s, AV_LOG_WARNING,
+               "Unexpected time reference %d:%d:%d.%d,%d:%d:%d.%d\n",
+               sh, sm, ss, sc, eh, em, es, ec);
+        return 0;
+    }
+
     return end - start;
 }
 
@@ -1250,7 +1267,7 @@ static int mkv_write_ass_blocks(AVFormatContext *s, AVIOContext *pb,
     char buffer[2048];
 
     while (data_size) {
-        int duration = ass_get_duration(data);
+        int duration = ass_get_duration(s, data);
         max_duration = FFMAX(duration, max_duration);
         end          = memchr(data, '\n', data_size);
         size         = line_size = end ? end - data + 1 : data_size;

