[FFmpeg-cvslog] avcodec/htmlsubtitles: Fixes denial of service due to use of sscanf in inner loop for handling braces

Kevin Backhouse via RT git at videolan.org
Tue May 14 01:44:44 EEST 2019 

ffmpeg | branch: release/3.2 | Kevin Backhouse via RT <security-reports at semmle.com> | Wed Feb  6 12:56:01 2019 +0000| [273f2755ce8635d42da3cde0eeba15b2e7842774] | committer: Michael Niedermayer

avcodec/htmlsubtitles: Fixes denial of service due to use of sscanf in inner loop for handling braces

Fixes: [Semmle Security Reports #19439]
Fixes: dos_sscanf2.mkv

Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
(cherry picked from commit 894995c41e0795c7a44f81adc4838dedc3932e65)
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=273f2755ce8635d42da3cde0eeba15b2e7842774
---

 libavcodec/htmlsubtitles.c | 24 +++++++++++++++++++++---
 1 file changed, 21 insertions(+), 3 deletions(-)

diff --git a/libavcodec/htmlsubtitles.c b/libavcodec/htmlsubtitles.c
index 80d0f40553..7b493c8369 100644
--- a/libavcodec/htmlsubtitles.c
+++ b/libavcodec/htmlsubtitles.c
@@ -22,6 +22,7 @@
 #include "libavutil/common.h"
 #include "libavutil/parseutils.h"
 #include "htmlsubtitles.h"
+#include <ctype.h>
 
 static int html_color_parse(void *log_ctx, const char *str)
 {
@@ -52,6 +53,25 @@ static void rstrip_spaces_buf(AVBPrint *buf)
 }
 
 /*
+ * Fast code for scanning text enclosed in braces. Functionally
+ * equivalent to this sscanf call:
+ *
+ * sscanf(in, "{\\an%*1u}%n", &len) >= 0 && len > 0
+ */
+static int scanbraces(const char* in) {
+    if (strncmp(in, "{\\an", 4) != 0) {
+        return 0;
+    }
+    if (!isdigit(in[4])) {
+        return 0;
+    }
+    if (in[5] != '}') {
+        return 0;
+    }
+    return 1;
+}
+
+/*
  * Fast code for scanning the rest of a tag. Functionally equivalent to
  * this sscanf call:
  *
@@ -110,9 +130,7 @@ int ff_htmlmarkup_to_ass(void *log_ctx, AVBPrint *dst, const char *in)
             break;
         case '{':    /* skip all {\xxx} substrings except for {\an%d}
                         and all microdvd like styles such as {Y:xxx} */
-            len = 0;
-            an += sscanf(in, "{\\an%*1u}%n", &len) >= 0 && len > 0;
-
+            an += scanbraces(in);
             if (!closing_brace_missing) {
                 if (   (an != 1 && in[1] == '\\')
                     || (in[1] && strchr("CcFfoPSsYy", in[1]) && in[2] == ':')) {

More information about the ffmpeg-cvslog mailing list