id,summary,reporter,owner,description,type,status,priority,milestone,component,version,severity,resolution,keywords,cc
559,Crash due to memory corruption when importing subtitles [include fix],Timac2,astrange,"The code to import subtitles (SubImport.mm) has a memory corruption which can led to a crash.

Steps to reproduce:
1- Import a movie with subtitles (for example .ass file)

Result:
There is a memory corruption in the function ParseSubTime which can led to a random crash. The sscanf call in ParseSubTime writes a NULL character on the stack. Depending on the stack, this might led to a crash.


The ParseSubTime function contains the following code:

char separator;
if (sscanf(time,""%u:%u:%u%[,.:]%u"",&hour,&minute,&second,&separator,&subsecond) < 5)
 return 0;

You use ""%[,.:]"" to parse the separator but the separator variable is a char. According to the sscanf documentation (see man sscanf), ""the next pointer must be a pointer to char, and there must be enough room for all the characters in the string, plus a terminating NUL character."". In Perian source code, this is not the case and led to a memory corruption.


My suggested fix is to use ""%c"" instead of ""%[,.:]"" (and check the separator):

if (sscanf(time,""%u:%u:%u%[,.:]%u"",&hour,&minute,&second,&separator,&subsecond) < 5)
		return 0;

by

if (sscanf(time,""%u:%u:%u%c%u"",&hour,&minute,&second,&separator,&subsecond) < 5 || (separator != ',' && separator != '.' && separator != ':'))
		return 0;",defect,closed,normal,1.2.2,Subtitles,1.2,normal,fixed,,