]> granicus.if.org Git - libmatroska/commitdiff
projects / libmatroska / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 4934049)
KaxBlockInternal: check EBML lace sizes against available buffer space
authorMoritz Bunkus <moritz@bunkus.org>
Tue, 20 Oct 2015 10:00:53 +0000 (12:00 +0200)
committerMoritz Bunkus <moritz@bunkus.org>
Tue, 20 Oct 2015 10:00:53 +0000 (12:00 +0200)
ChangeLog patch | blob | history
src/KaxBlock.cpp patch | blob | history

diff --git a/ChangeLog b/ChangeLog
index e260ea10ffd73983d5f29ac443a55ff6a5731152..f61dac0226c62538057844e6304fb6c9631b9026 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,13 @@
+2015-10-20  Moritz Bunkus  <moritz@bunkus.org>
+
+        * KaxInternalBlock::ReadData(): Fixed an invalid memory
+        access. When reading a block group or a simple block that uses
+        EBML lacing the frame sizes indicated in the lacing weren't
+        checked against the available number of bytes. If the indicated
+        frame size was bigger than the whole block's size the parser would
+        read beyond the end of the buffer resulting in a heap information
+        leak.
+
 2015-10-17  Moritz Bunkus  <moritz@bunkus.org>
 
         * Released v1.4.3.
diff --git a/src/KaxBlock.cpp b/src/KaxBlock.cpp
index b59538ca14c60022c449ae8e0319d583b0e37e7c..22d213283603fe51ef85030c6f376468cdaa0537 100644 (file)
--- a/src/KaxBlock.cpp
+++ b/src/KaxBlock.cpp
@@ -529,6 +529,8 @@ filepos_t KaxInternalBlock::ReadData(IOCallback & input, ScopeMode ReadFully)
           case LACING_EBML:
             SizeRead = LastBufferSize;
             FrameSize = ReadCodedSizeValue(BufferStart + Mem.GetPosition(), SizeRead, SizeUnknown);
+            if (!FrameSize || (static_cast<uint32>(FrameSize + SizeRead) > LastBufferSize))
+              throw SafeReadIOCallback::EndOfStreamX(SizeRead);
             SizeList[0] = FrameSize;
             Mem.Skip(SizeRead);
             LastBufferSize -= FrameSize + SizeRead;
@@ -537,6 +539,8 @@ filepos_t KaxInternalBlock::ReadData(IOCallback & input, ScopeMode ReadFully)
               // get the size of the frame
               SizeRead = LastBufferSize;
               FrameSize += ReadCodedSizeSignedValue(BufferStart + Mem.GetPosition(), SizeRead, SizeUnknown);
+              if (!FrameSize || (static_cast<uint32>(FrameSize + SizeRead) > LastBufferSize))
+                throw SafeReadIOCallback::EndOfStreamX(SizeRead);
               SizeList[Index] = FrameSize;
               Mem.Skip(SizeRead);
               LastBufferSize -= FrameSize + SizeRead;
Unnamed repository; edit this file 'description' to name the repository.