Skip to content

demux: webvtt: fix stack overflow on circular CSS style link

Mohit Shuklarequested to merge
tendinginfinity/vlc:fix/webvtt-fuzz-5829271106158592 into master

Hey everyone,

This MR is a quick fix for a nasty stack overflow that the fuzzer found in our WebVTT subtitle module. It's actually a pretty common logic error!

What Was Broken

The bug was caused by an infinite loop in the ClearCSSStyles function. When a subtitle file contained a CSS style list with a circular reference (like a node pointing back up the chain), the function recursively called itself forever. This completely ate up the memory stack, leading to an immediate crash.

The Simple Fix

I've added a simple safeguard inside ClearCSSStyles. By setting the pointer to the child list to NULL before the recursive traversal begins, we stop the function from getting caught in the endless loop. It breaks the cycle, allowing the function to finish the cleanup safely.

How I Verified It

I built the latest 4.0.0-dev on my local machine and ran the exact input file that caused the crash.

Merge request reports

VideoLAN code repository instance