From 5cb9aac3da98c92c75eb2099265d2825bd1445ef Mon Sep 17 00:00:00 2001 From: Uoti Urpala Date: Sat, 20 Apr 2013 23:44:45 +0300 Subject: [PATCH] subreader: fix unsafe sscanf calls with "%[" "%[,.:]" conversion was used with a buffer that could be shorter than the matched string. Suppress assignment of the conversion since the value wasn't used anyway, and also limit match length to 1 as it doesn't look like the intent was to match longer runs of the characters. --- sub/subreader.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/sub/subreader.c b/sub/subreader.c index 6cdc31c4c3..79e307ec09 100644 --- a/sub/subreader.c +++ b/sub/subreader.c @@ -384,14 +384,14 @@ static subtitle *sub_ass_read_line_subviewer(stream_t *st, subtitle *current, int a1, a2, a3, a4, b1, b2, b3, b4, j = 0; while (!current->text[0]) { - char line[LINE_LEN + 1], full_line[LINE_LEN + 1], sep; + char line[LINE_LEN + 1], full_line[LINE_LEN + 1]; int i; /* Parse SubRip header */ if (!stream_read_line(st, line, LINE_LEN, utf16)) return NULL; - if (sscanf(line, "%d:%d:%d%[,.:]%d --> %d:%d:%d%[,.:]%d", - &a1, &a2, &a3, &sep, &a4, &b1, &b2, &b3, &sep, &b4) < 10) + if (sscanf(line, "%d:%d:%d%*1[,.:]%d --> %d:%d:%d%*1[,.:]%d", + &a1, &a2, &a3, &a4, &b1, &b2, &b3, &b4) < 8) continue; current->start = a1 * 360000 + a2 * 6000 + a3 * 100 + a4 / 10; @@ -448,7 +448,7 @@ static subtitle *sub_read_line_subviewer(stream_t *st,subtitle *current, return sub_ass_read_line_subviewer(st, current, args); while (!current->text[0]) { if (!stream_read_line (st, line, LINE_LEN, utf16)) return NULL; - if ((len=sscanf (line, "%d:%d:%d%[,.:]%d --> %d:%d:%d%[,.:]%d",&a1,&a2,&a3,(char *)&i,&a4,&b1,&b2,&b3,(char *)&i,&b4)) < 10) + if ((len=sscanf (line, "%d:%d:%d%*1[,.:]%d --> %d:%d:%d%*1[,.:]%d",&a1,&a2,&a3,&a4,&b1,&b2,&b3,&b4)) < 8) continue; current->start = a1*360000+a2*6000+a3*100+a4/10; current->end = b1*360000+b2*6000+b3*100+b4/10; @@ -1098,7 +1098,7 @@ static int sub_autodetect (stream_t* st, int *uses_time, int utf16) { {*uses_time=1;return SUB_MPL2;} if (sscanf (line, "%d:%d:%d.%d,%d:%d:%d.%d", &i, &i, &i, &i, &i, &i, &i, &i)==8) {*uses_time=1;return SUB_SUBRIP;} - if (sscanf (line, "%d:%d:%d%[,.:]%d --> %d:%d:%d%[,.:]%d", &i, &i, &i, (char *)&i, &i, &i, &i, &i, (char *)&i, &i)==10) + if (sscanf (line, "%d:%d:%d%*1[,.:]%d --> %d:%d:%d%*1[,.:]%d", &i, &i, &i, &i, &i, &i, &i, &i) == 8) {*uses_time=1;return SUB_SUBVIEWER;} if (sscanf (line, "{T %d:%d:%d:%d",&i, &i, &i, &i)==4) {*uses_time=1;return SUB_SUBVIEWER2;} -- 2.11.4.GIT