Skip to content

Commit 273f275

Browse files
Kevin Backhouse via RTmichaelni
Kevin Backhouse via RT
authored andcommitted
avcodec/htmlsubtitles: Fixes denial of service due to use of sscanf in inner loop for handling braces
Fixes: [Semmle Security Reports #19439] Fixes: dos_sscanf2.mkv Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit 894995c) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
1 parent 23ccf3c commit 273f275

File tree

1 file changed

+21
-3
lines changed

1 file changed

+21
-3
lines changed

Diff for: libavcodec/htmlsubtitles.c

+21-3
Original file line numberDiff line numberDiff line change
@@ -22,6 +22,7 @@
2222
#include "libavutil/common.h"
2323
#include "libavutil/parseutils.h"
2424
#include "htmlsubtitles.h"
25+
#include <ctype.h>
2526

2627
static int html_color_parse(void *log_ctx, const char *str)
2728
{
@@ -51,6 +52,25 @@ static void rstrip_spaces_buf(AVBPrint *buf)
5152
buf->str[--buf->len] = 0;
5253
}
5354

55+
/*
56+
* Fast code for scanning text enclosed in braces. Functionally
57+
* equivalent to this sscanf call:
58+
*
59+
* sscanf(in, "{\\an%*1u}%n", &len) >= 0 && len > 0
60+
*/
61+
static int scanbraces(const char* in) {
62+
if (strncmp(in, "{\\an", 4) != 0) {
63+
return 0;
64+
}
65+
if (!isdigit(in[4])) {
66+
return 0;
67+
}
68+
if (in[5] != '}') {
69+
return 0;
70+
}
71+
return 1;
72+
}
73+
5474
/*
5575
* Fast code for scanning the rest of a tag. Functionally equivalent to
5676
* this sscanf call:
@@ -110,9 +130,7 @@ int ff_htmlmarkup_to_ass(void *log_ctx, AVBPrint *dst, const char *in)
110130
break;
111131
case '{': /* skip all {\xxx} substrings except for {\an%d}
112132
and all microdvd like styles such as {Y:xxx} */
113-
len = 0;
114-
an += sscanf(in, "{\\an%*1u}%n", &len) >= 0 && len > 0;
115-
133+
an += scanbraces(in);
116134
if (!closing_brace_missing) {
117135
if ( (an != 1 && in[1] == '\\')
118136
|| (in[1] && strchr("CcFfoPSsYy", in[1]) && in[2] == ':')) {

0 commit comments

Comments
 (0)