[MPlayer-dev-eng] crash by subtitle

Wolfgang Becker uafr at gmx.de
Fri Dec 17 00:03:17 CET 2004


Hi,

there is a bug in subreader.c/demux_sputext.c which crashes mplayer/xine
when playing a movie with subtitle in subrip format. If the .sub
file contains an entry with too much Lines the program is killed
by SIGSEGV.

To reproduce this bug, take any movie-File and create a .sub-File with
the same Name as the movie.

movie.sub
| [SUBTITLE]
| 00:00:01.00,00:01:00.00
| Line 1[br]Line 2[br]Line 3[br]Line 4[br]Line 5[br]Line 6[br]Line 7[br]Line 8[br]Line 9[br]Line 10[br]Line 11[br]Line 12


This can be fixed by changing
xine: libsputext/demux_sputext.c
static subtitle_t *sub_read_line_subviewer(demux_sputext_t *this, subtitle_t *current) 

mplayer: subreader.c
subtitle *sub_read_line_subrip(FILE *fd, subtitle *current) 


from
| p=q=line;
| for (current->lines=1; current->lines < SUB_MAX_TEXT; current->lines++) {
|     for (q=p,len=0; *p && *p!='\r' && *p!='\n' && *p!='|' && strncmp(p,"[br]",4); p++,len++);
|     current->text[current->lines-1]=(char *)malloc (len+1);
|     if (!current->text[current->lines-1]) return ERR;
|     strncpy (current->text[current->lines-1], q, len);
|     current->text[current->lines-1][len]='\0';
|     if (!*p || *p=='\r' || *p=='\n') break;
|     if (*p=='|') p++;
|     else while (*p++!=']');
| }

to

| p=q=line;
| for (current->lines=1; current->lines < SUB_MAX_TEXT; current->lines++) {
|     for (q=p,len=0; *p && *p!='\r' && *p!='\n' && *p!='|' && strncmp(p,"[br]",4); p++,len++);
|     current->text[current->lines-1]=(char *)malloc (len+1);
|     if (!current->text[current->lines-1]) return ERR;
|     strncpy (current->text[current->lines-1], q, len);
|     current->text[current->lines-1][len]='\0';
|     if (!*p || *p=='\r' || *p=='\n') break;
|     if (*p=='|') p++;
|     else while (*p++!=']');
|     if( current->lines == SUB_MAX_TEXT - 1 ) break; //quick and dirty fix
| }


That fix is not really nice, but so is that part of the code.
I did not check if the fix works with xine, but as the code is 
the same it should.

HTH,
Wolfgang
-- 
Wolfgang Becker  ***  eMail uafr at gmx.de  ***  http://uafr.freeshell.org/




More information about the MPlayer-dev-eng mailing list