Menu

#305 vobsub.c vobsub_get_subpic_duration reads off end of _data

v1.0 (example)
open
nobody
None
5
2014-03-10
2014-03-09
RyanS
No

It looks like in vobsub.c vobsub_get_subpic_duration() reads data[psize] because the while loop doesn't break until (i + len > psize). So when len is 0, the loop iterates again with i == psize. So data[psize] gets referenced. If psize is the length of the buffer then that is running 1 byte off the end of the buffer.

Related

Bugs: #305

Discussion

  • Romain Bouqueau

    Romain Bouqueau - 2014-03-10

    Re, thanks for reporting.

    Same as #303: would it be possible to share a sample file with us? You can use wetransfer.com for example (stays alive for one week). And send it via PM if you don't want the URL do be public.

    Thanks,

    Romain

     

    • RyanS

      RyanS - 2014-03-11

      Hi Romain,

      Here is an example of a .sub file that elicits this latent bug. The root
      cause is that the .sub file does not have a command termination value (some
      value > 6) before the end of the data. This .sub was created by a recent
      version of Subtitle Edit. I think it's caused by a bug in Subtitle Edit
      which I have reported to the author. He has applied a patch.

      This is not a very important gpac bug because it is caused by a bad file,
      but anyway thought it was worth mentioning.

      Ryan

      On Mon, Mar 10, 2014 at 1:00 AM, Romain Bouqueau rbouqueau@users.sf.netwrote:

      Re, thanks for reporting.

      Same as #303: would it be possible to share a sample file with us? You can
      use wetransfer.com for example (stays alive for one week). And send it
      via PM if you don't want the URL do be public.

      Thanks,

      Romain

      Status: open
      Group: v1.0 (example)
      Created: Sun Mar 09, 2014 11:10 PM UTC by RyanS
      Last Updated: Sun Mar 09, 2014 11:10 PM UTC
      Owner: nobody

      It looks like in vobsub.c vobsub_get_subpic_duration() reads data[psize]because the while loop doesn't break until (i + len > psize). So when len
      is 0, the loop iterates again with i == psize. So data[psize] gets
      referenced. If psize is the length of the buffer then that is running 1
      byte off the end of the buffer.

      Sent from sourceforge.net because you indicated interest in
      https://sourceforge.net/p/gpac/bugs/305/

      To unsubscribe from further messages, please visit
      https://sourceforge.net/auth/subscriptions/

       

      Related

      Bugs: #305

Log in to post a comment.