From 20e430105b1fc02aa135788ba150a0dd49a7d1ef Mon Sep 17 00:00:00 2001 From: Eric Kidd Date: Sun, 5 Mar 2017 08:45:08 -0500 Subject: [PATCH] [crash] Move control-offset check into loop We checked this once outside the loop, but we need to check it on every iteration in case the interior control offsets are corrupt. @Manishearth: Here's one for the `cargo-fuzz` trophy case! It's working great now. I'll submit a PR with a list of everything I find. --- vobsub/src/sub.rs | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/vobsub/src/sub.rs b/vobsub/src/sub.rs index 9d3dd2be..e8521f8b 100644 --- a/vobsub/src/sub.rs +++ b/vobsub/src/sub.rs @@ -304,12 +304,6 @@ fn subtitle(raw_data: &[u8], base_time: f64) -> Result { // Figure out where our control data starts. let (_, initial_control_offset) = parse_be_u16_as_usize(&raw_data[2..])?; - if initial_control_offset >= raw_data.len() { - return Err(format!("control offset is 0x{:x}, but packet is only 0x{:x} \ - bytes", - initial_control_offset, - raw_data.len()).into()); - } // Declare data we want to collect from our control packets. let mut start_time = None; @@ -324,6 +318,13 @@ fn subtitle(raw_data: &[u8], base_time: f64) -> Result { let mut control_offset = initial_control_offset; loop { trace!("looking for control sequence at: 0x{:x}", control_offset); + if control_offset >= raw_data.len() { + return Err(format!("control offset is 0x{:x}, but packet is only 0x{:x} \ + bytes", + control_offset, + raw_data.len()).into()); + } + let control_data = &raw_data[control_offset..]; match control_sequence(control_data) { IResult::Done(_, control) => {