subparse: Make sure that subrip time string is not too long before zero-padding

Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/4419
Fixes CVE-2025-47806

Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/9132>
This commit is contained in:
Sebastian Dröge 2025-05-08 12:46:40 +03:00 committed by GStreamer Marge Bot
parent 9e2238adc1
commit edca7f83d1

View File

@ -858,7 +858,7 @@ parse_subrip_time (const gchar * ts_string, GstClockTime * t)
g_strdelimit (s, " ", '0');
g_strdelimit (s, ".", ',');
/* make sure we have exactly three digits after he comma */
/* make sure we have exactly three digits after the comma */
p = strchr (s, ',');
if (p == NULL) {
/* If there isn't a ',' the timestamp is broken */
@ -867,6 +867,15 @@ parse_subrip_time (const gchar * ts_string, GstClockTime * t)
return FALSE;
}
/* Check if the comma is too far into the string to avoid
* stack overflow when zero-padding the sub-second part.
*
* Allow for 3 digits of hours just in case. */
if ((p - s) > sizeof ("hhh:mm:ss,")) {
GST_WARNING ("failed to parse subrip timestamp string '%s'", s);
return FALSE;
}
++p;
len = strlen (p);
if (len > 3) {