search

rbouqueau / gpac

GPAC mirror from the SourceForge Subversion
GNU Lesser General Public License v2.1
0 stars 1 forks source link

[Bug] vobsub.c vobsub_get_subpic_duration reads off end of _data [sf#305] #305

Open rbouqueau opened 10 years ago

rbouqueau commented 10 years ago

Reported by ryanseghers on 2014-03-09 23:10 UTC It looks like in vobsub.c vobsub_get_subpic_duration() reads data[psize] because the while loop doesn't break until (i + len > psize). So when len is 0, the loop iterates again with i == psize. So data[psize] gets referenced. If psize is the length of the buffer then that is running 1 byte off the end of the buffer.

rbouqueau commented 10 years ago

Commented by rbouqueau on 2014-03-10 08:00 UTC Re, thanks for reporting.

Same as #303: would it be possible to share a sample file with us? You can use wetransfer.com for example (stays alive for one week). And send it via PM if you don't want the URL do be public.

Thanks,

Romain

rbouqueau commented 10 years ago

Commented by ryanseghers on 2014-03-11 04:00 UTC Hi Romain,

Here is an example of a .sub file that elicits this latent bug. The root cause is that the .sub file does not have a command termination value (some value > 6) before the end of the data. This .sub was created by a recent version of Subtitle Edit. I think it's caused by a bug in Subtitle Edit which I have reported to the author. He has applied a patch.

This is not a very important gpac bug because it is caused by a bad file, but anyway thought it was worth mentioning.

Ryan

On Mon, Mar 10, 2014 at 1:00 AM, Romain Bouqueau rbouqueau@users.sf.netwrote:

Re, thanks for reporting.

Same as #303: would it be possible to share a sample file with us? You can use wetransfer.com for example (stays alive for one week). And send it via PM if you don't want the URL do be public.

Thanks,

Romain

Status: open Group: v1.0 (example) Created: Sun Mar 09, 2014 11:10 PM UTC by RyanS Last Updated: Sun Mar 09, 2014 11:10 PM UTC Owner: nobody

It looks like in vobsub.c vobsub_get_subpic_duration() reads data[psize]because the while loop doesn't break until (i + len > psize). So when len is 0, the loop iterates again with i == psize. So data[psize] gets referenced. If psize is the length of the buffer then that is running 1

byte off the end of the buffer.

Sent from sourceforge.net because you indicated interest in https://sourceforge.net/p/gpac/bugs/305/

To unsubscribe from further messages, please visit https://sourceforge.net/auth/subscriptions/