[PATCH] fixed #2295

author jeanlf <jeanlf@gpac.io>

Fri, 4 Nov 2022 08:26:34 +0000 (09:26 +0100)

committer Moritz Mühlenhoff <jmm@debian.org>

Mon, 19 Jun 2023 21:46:06 +0000 (22:46 +0100)
author jeanlf <jeanlf@gpac.io>
Fri, 4 Nov 2022 08:26:34 +0000 (09:26 +0100)
committer Moritz Mühlenhoff <jmm@debian.org>
Mon, 19 Jun 2023 21:46:06 +0000 (22:46 +0100)
diff --git a/src/scenegraph/svg_attributes.c b/src/scenegraph/svg_attributes.c

index 3b47eab0e59f16a170e0554fc9d42b99a94e4623..8830c19a5813ec2a9a46cfa11a82495e68731e80 100644 (file)
--- a/src/scenegraph/svg_attributes.c
+++ b/src/scenegraph/svg_attributes.c
@@ -2458,17 +2458,22 @@ static void svg_parse_boolean(SVG_Boolean *value, char *value_string)
  static void smil_parse_time_list(GF_Node *e, GF_List *values, char *begin_or_end_list)
  {
         SMIL_Time *value;
-       char value_string[500];
+       char value_string[1025];
         char *str = begin_or_end_list, *tmp;
         u32 len;
  
         /* get rid of leading spaces */
         while (*str == ' ') str++;
  
+       value_string[1024] = 0;
         while (1) {
                 tmp = strchr(str, ';');
                 if (tmp) len = (u32) (tmp-str);
                 else len = (u32) strlen(str);
+               if (len>1024) {
+                       GF_LOG(GF_LOG_ERROR, GF_LOG_PARSER, ("[SVG Parsing] SMIL time list attribute too long, max supported 1024 bytes\n"));
+                       goto err;
+               }
                 memcpy(value_string, str, len);
                 while ((len > 0) && (value_string[len - 1] == ' '))
                         len--;
author	jeanlf <jeanlf@gpac.io>
	Fri, 4 Nov 2022 08:26:34 +0000 (09:26 +0100)
committer	Moritz Mühlenhoff <jmm@debian.org>
	Mon, 19 Jun 2023 21:46:06 +0000 (22:46 +0100)