Skip to content
Permalink
Browse files Browse the repository at this point in the history
avcodec/htmlsubtitles: Fixes denial of service due to use of sscanf i…
…n inner loop for tag scaning

Fixes: [Semmle Security Reports #19438]
Fixes: dos_sscanf1.mkv

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 1f00c97)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
  • Loading branch information
Kevin Backhouse via RT authored and michaelni committed May 13, 2019
1 parent abdbbe8 commit 23ccf3c
Showing 1 changed file with 29 additions and 1 deletion.
30 changes: 29 additions & 1 deletion libavcodec/htmlsubtitles.c
Expand Up @@ -51,6 +51,34 @@ static void rstrip_spaces_buf(AVBPrint *buf)
buf->str[--buf->len] = 0;
}

/*
* Fast code for scanning the rest of a tag. Functionally equivalent to
* this sscanf call:
*
* sscanf(in, "%127[^<>]>%n", buffer, lenp) == 2
*/
static int scantag(const char* in, char* buffer, int* lenp) {
int len;

for (len = 0; len < 128; len++) {
const char c = *in++;
switch (c) {
case '\0':
return 0;
case '<':
return 0;
case '>':
buffer[len] = '\0';
*lenp = len+1;
return 1;
default:
break;
}
buffer[len] = c;
}
return 0;
}

int ff_htmlmarkup_to_ass(void *log_ctx, AVBPrint *dst, const char *in)
{
char *param, buffer[128], tmp[128];
Expand Down Expand Up @@ -102,7 +130,7 @@ int ff_htmlmarkup_to_ass(void *log_ctx, AVBPrint *dst, const char *in)
case '<':
tag_close = in[1] == '/';
len = 0;
if (sscanf(in+tag_close+1, "%127[^<>]>%n", buffer, &len) >= 1 && len > 0) {
if (scantag(in+tag_close+1, buffer, &len) && len > 0) {
const char *tagname = buffer;
while (*tagname == ' ')
tagname++;
Expand Down

0 comments on commit 23ccf3c

Please sign in to comment.