[FFmpeg-devel] [PATCH] Fix memory corruption in srt_to_ass (subtitle decoder)

Aurelien Jacobs aurel at gnuage.org
Fri Mar 25 01:09:01 CET 2011


On Thu, Mar 24, 2011 at 05:17:56PM +0100, Alexandre Colucci wrote:
> 
> Hi,
> 
> The function srt_to_ass uses sscanf() with the conversion '%128[]'
> to parse srt data. The conversion '%128[]' requires a buffer that
> (in sscanf man page):
> "must be a pointer to char, and there must be enough room for all
> the characters in the string, plus a terminating NUL character."
> 
> Currently the buffer can only contain 128 characters but the sscanf
> call requires 128 + 1 (NUL character) = 129 characters.
> This sscanf call led in some cases to a memory corruption and can
> cause a crash. The proposed patch consists of increasing the size
> of the buffer.

Good catch !
Fixed by dropping the maximum string length to 127.
Thanks for the report.

BTW, did you notice this with an actual subtitle file, or with a
crafted/fuzzed file ?
If this happens with actual files, we should probably increase
buffer size so that we don't truncate the string.
Sample file welcome.

Aurel



More information about the ffmpeg-devel mailing list