[MPlayer-dev-eng] [PATCH] fix SAMI parsing
Howard Chu
hyc at highlandsun.com
Tue Jun 8 00:29:20 CEST 2010
Reimar Döffinger wrote:
> On Mon, Jun 07, 2010 at 10:40:54AM -0700, Howard Chu wrote:
>> Reimar Döffinger wrote:
>>>> Did that. Also had to check for " " in addition to " ".
>>>
>>> And how do you know that you/we did not yet miss another case?
>>> Especially since no base is specified in the strtol call.
>>
>> With base = 0 the only possibilities are base 8, 10, and 16. At most
>> base 16 packs 4 bits per byte so again, there is no chance for
>> overflow. Also keep in mind that there's 3 bytes of slop for free -
>> the "&#;" are being dropped.
>
> You said that the last time as well.
> I see more complex, more risky code at a security-relevant point
> for no benefit at all.
>
>>> This code is simply too complex for security-critical code
>>> where a mistake will allow writing arbitrary values onto the stack.
>>> Just add a
>>> if (p - text>= sizeof(text) - 8)
>>
>> Maximum length for UTF-8 is 6 bytes.
>
> Where did you get that from? To my knowledge the longest valid UTF-8
> is 4 bytes (which is without any relevance here though),
Try the original spec, RFC2279.
http://www.ietf.org/rfc/rfc2279.txt
Section 2. UTF-8 definition
>>>>
In UTF-8, characters are encoded using sequences of 1 to 6 octets.
<<<<
> the maximum length for PUT_UTF8 is 7 bytes, and we need a
> 0-termination.
If PUT_UTF8 can output 7 bytes then it's broken.
> Here's even a patch to do this way that avoids losing any data if possible...
> Index: subreader.c
> ===================================================================
> --- subreader.c (revision 31346)
> +++ subreader.c (working copy)
> @@ -170,6 +170,8 @@
>
> case 3: /* get all text until '<' appears */
> if (*s == '\0') break;
> + else if (p - text>= sizeof(text) - 8)
> + sami_add_line(current, text,&p);
> else if (!strncasecmp (s, "<br>", 4)) {
> sami_add_line(current, text,&p);
> s += 4;
I respect your attention to detail and security-consciousness. I don't respect
your treatment of this topic with superstition, instead of facts.
I gave you solid facts - a binary number read from a base16 string cannot
overflow the original space - and you're the one handwaving them away.
You gave a completely valid criticism - negative numbers need to be checked.
Unicode is only defined for 0-0x7fffffff, i.e., positive only, and I've
addressed that. The rest is just superstition.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
More information about the MPlayer-dev-eng
mailing list