aboutsummaryrefslogtreecommitdiffstats
path: root/libavformat/mpsubdec.c
diff options
context:
space:
mode:
authorClément Bœsch <u@pkh.me>2013-09-08 18:02:45 +0200
committerAlexander Strasser <eclipse7@gmx.net>2013-09-16 21:39:34 +0200
commitc09acf9882803fd17762689859032c0866568e27 (patch)
tree5bbaf9d809b24e74c57a0794149d4d579e36a78f /libavformat/mpsubdec.c
parenta0779a2ee504e9f38cab91296ba96fa189804f9b (diff)
downloadffmpeg-c09acf9882803fd17762689859032c0866568e27.tar.gz
avformat/subtitles: add a next line jumper and use it.
This fixes a bunch of possible overread in avformat with the idiom p += strcspn(p, "\n") + 1 (strcspn() can focus on the trailing '\0' if no '\n' is found, so the +1 leads to an overread). Note on lavf/matroskaenc: no extra subtitles.o Makefile dependency is added because only the header is required for ff_subtitles_next_line(). Note on lavf/mpsubdec: code gets slightly complex to avoid an infinite loop in the probing since there is no more forced increment. NOTE: Code of function ff_subtitles_next_line fixed by Alexander Strasser. The original code from master did test the wrong character, but was corrected by a subsequent commit. That commit however is not backported, so it had to be fixed in this commit for the backport. Conflicts: libavformat/mpl2dec.c (cherry picked from commit 90fc00a623de44e137fe1601b91356e8cd8bdd54) Signed-off-by: Alexander Strasser <eclipse7@gmx.net>
Diffstat (limited to 'libavformat/mpsubdec.c')
-rw-r--r--libavformat/mpsubdec.c6
1 files changed, 5 insertions, 1 deletions
diff --git a/libavformat/mpsubdec.c b/libavformat/mpsubdec.c
index 2acafaa81b..360a3d837f 100644
--- a/libavformat/mpsubdec.c
+++ b/libavformat/mpsubdec.c
@@ -37,12 +37,16 @@ static int mpsub_probe(AVProbeData *p)
const char *ptr_end = p->buf + p->buf_size;
while (ptr < ptr_end) {
+ int inc;
int n;
if (!memcmp(ptr, "FORMAT=TIME", 11) ||
sscanf(ptr, "FORMAT=%d", &n) == 1)
return AVPROBE_SCORE_MAX/2;
- ptr += strcspn(ptr, "\n") + 1;
+ inc = ff_subtitles_next_line(ptr);
+ if (!inc)
+ break;
+ ptr += inc;
}
return 0;
}