Opened 8 months ago

Closed 8 months ago

Last modified 8 months ago

#13436 closed Bug Report - Crash (fixed)

Potential crash in CC708 append_cc function.

Reported by: David Hampton Owned by: David Hampton
Priority: minor Milestone: 30.1
Component: MythTV - Captions Version: Master Head
Severity: medium Keywords:
Cc: Ticket locked: no

Description

This function calls the rightsize_buf function, which attempts to reallocate a buffer if there isn't enough space. It is possible, but extremely unlikely, that the reallocation will fail and the buffer will be replaced with a nullptr. Any attempt to dereference that nullptr will crash the frontend.

Change History (2)

comment:1 Changed 8 months ago by David Hampton <mythtv@…>

Resolution: fixed
Status: assignedclosed

In d0356aba3c/mythtv:

tidy: Fix rare null pointer dereference in cc708decoder.cpp.

The clang-tidy "non-null parameter checker" pointed out to possibility
of the cc708 decoder dereferencing through a null pointer. This code
starts with a default buffer size of 512 and then attempts to allocate
a larger buffer when necessary (in this case, if a single subtitle is
more than 512 characters.) If the reallocation fails, the code would
end up storing the nullptr error return into the buffer pointer, and
then dereference it an an attempt to store the new characters. Catch
this rare condition and drop the characters that won't fit into the
existing buffer.

Fixes #13436.

comment:2 Changed 8 months ago by David Hampton <mythtv@…>

In ff4c7158f/mythtv:

tidy: Fix rare null pointer dereference in cc707decoder.cpp.

The clang-tidy "non-null parameter checker" pointed out to possibility
of the cc708 decoder dereferencing through a null pointer. This code
starts with a default buffer size of 512 and then attempts to allocate
a larger buffer when necessary (in this case, if a single subtitle is
more than 512 characters.) If the reallocation fails, the code would
end up storing the nullptr error return into the buffer pointer, and
then dereference it an an attempt to store the new characters. Catch
this rare condition and drop the characters that won't fit into the
existing buffer.

Fixes #13436.

(cherry picked from commit d0356aba3c9394200a86dcab7d1cf17a558c5eab)

Note: See TracTickets for help on using tickets.