KaxBlock: don't access beyond enf-of-buffer for one frame in EBML lacing

author Moritz Bunkus <moritz@bunkus.org>

Fri, 19 Dec 2014 13:00:02 +0000 (14:00 +0100)

committer Moritz Bunkus <moritz@bunkus.org>

Fri, 19 Dec 2014 13:00:02 +0000 (14:00 +0100)
author Moritz Bunkus <moritz@bunkus.org>
Fri, 19 Dec 2014 13:00:02 +0000 (14:00 +0100)
committer Moritz Bunkus <moritz@bunkus.org>
Fri, 19 Dec 2014 13:00:02 +0000 (14:00 +0100)
diff --git a/ChangeLog b/ChangeLog

index 06ea9991395b5a2aee8603ecc8fe7eb3be666e12..15fd2c5309df060412a064ac8a78d16efb7ff172 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,8 @@
+2014-12-19  Moritz Bunkus  <moritz@bunkus.org>
+
+        * KaxBlock::ReadInternalHead(): fixed a off-by-one buffer overflow
+        if with EBML lacing and exactly one frame in the lace.
+
  2013-09-17 mosu
  New 1.4.1 version:
      - Added new elements/classes DiscardPadding, CodecDelay and
diff --git a/src/KaxBlock.cpp b/src/KaxBlock.cpp

index bdc926d06f3c940cd13c6fdd689e5d2dc318a1cd..95407b029133fe6c02c348cf372bb53fd2bec783 100644 (file)
--- a/src/KaxBlock.cpp
+++ b/src/KaxBlock.cpp
@@ -537,7 +537,8 @@ filepos_t KaxInternalBlock::ReadData(IOCallback & input, ScopeMode ReadFully)
            cursor += SizeRead;
            LastBufferSize -= FrameSize + SizeRead;
          }
-        SizeList[Index] = LastBufferSize;
+        if (Index <= FrameNum) // Safety check if FrameNum == 0
+          SizeList[Index] = LastBufferSize;
          break;
        case LACING_FIXED:
          for (Index=0; Index<=FrameNum; Index++) {
author	Moritz Bunkus <moritz@bunkus.org>
	Fri, 19 Dec 2014 13:00:02 +0000 (14:00 +0100)
committer	Moritz Bunkus <moritz@bunkus.org>
	Fri, 19 Dec 2014 13:00:02 +0000 (14:00 +0100)
ChangeLog		patch \| blob \| history
src/KaxBlock.cpp		patch \| blob \| history