avcodec/htmlsubtitles: Fixes denial of service due to use of sscanf in inner loop for tag scaning

Fixes: [Semmle Security Reports #19438]
Fixes: dos_sscanf1.mkv

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
This commit is contained in:
Kevin Backhouse via RT 2019-02-06 11:29:22 +00:00 committed by Michael Niedermayer
parent 7246bf365a
commit 1f00c97bc3
1 changed files with 29 additions and 1 deletions

View File

@ -74,6 +74,34 @@ struct font_tag {
uint32_t color;
};
/*
* Fast code for scanning the rest of a tag. Functionally equivalent to
* this sscanf call:
*
* sscanf(in, "%127[^<>]>%n", buffer, lenp) == 2
*/
static int scantag(const char* in, char* buffer, int* lenp) {
int len;
for (len = 0; len < 128; len++) {
const char c = *in++;
switch (c) {
case '\0':
return 0;
case '<':
return 0;
case '>':
buffer[len] = '\0';
*lenp = len+1;
return 1;
default:
break;
}
buffer[len] = c;
}
return 0;
}
/*
* The general politic of the convert is to mask unsupported tags or formatting
* errors (but still alert the user/subtitles writer with an error/warning)
@ -155,7 +183,7 @@ int ff_htmlmarkup_to_ass(void *log_ctx, AVBPrint *dst, const char *in)
len = 0;
if (sscanf(in+tag_close+1, "%127[^<>]>%n", buffer, &len) >= 1 && len > 0) {
if (scantag(in+tag_close+1, buffer, &len) && len > 0) {
const int skip = len + tag_close;
const char *tagname = buffer;
while (*tagname == ' ') {