From: Moritz Bunkus Date: Tue, 20 Oct 2015 10:00:53 +0000 (+0200) Subject: KaxBlockInternal: check EBML lace sizes against available buffer space X-Git-Tag: release-1.4.4~2 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=0a2d3e3644a7453b6513db2f9bc270f77943573f;p=libmatroska KaxBlockInternal: check EBML lace sizes against available buffer space --- diff --git a/ChangeLog b/ChangeLog index e260ea1..f61dac0 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,13 @@ +2015-10-20 Moritz Bunkus + + * KaxInternalBlock::ReadData(): Fixed an invalid memory + access. When reading a block group or a simple block that uses + EBML lacing the frame sizes indicated in the lacing weren't + checked against the available number of bytes. If the indicated + frame size was bigger than the whole block's size the parser would + read beyond the end of the buffer resulting in a heap information + leak. + 2015-10-17 Moritz Bunkus * Released v1.4.3. diff --git a/src/KaxBlock.cpp b/src/KaxBlock.cpp index b59538c..22d2132 100644 --- a/src/KaxBlock.cpp +++ b/src/KaxBlock.cpp @@ -529,6 +529,8 @@ filepos_t KaxInternalBlock::ReadData(IOCallback & input, ScopeMode ReadFully) case LACING_EBML: SizeRead = LastBufferSize; FrameSize = ReadCodedSizeValue(BufferStart + Mem.GetPosition(), SizeRead, SizeUnknown); + if (!FrameSize || (static_cast(FrameSize + SizeRead) > LastBufferSize)) + throw SafeReadIOCallback::EndOfStreamX(SizeRead); SizeList[0] = FrameSize; Mem.Skip(SizeRead); LastBufferSize -= FrameSize + SizeRead; @@ -537,6 +539,8 @@ filepos_t KaxInternalBlock::ReadData(IOCallback & input, ScopeMode ReadFully) // get the size of the frame SizeRead = LastBufferSize; FrameSize += ReadCodedSizeSignedValue(BufferStart + Mem.GetPosition(), SizeRead, SizeUnknown); + if (!FrameSize || (static_cast(FrameSize + SizeRead) > LastBufferSize)) + throw SafeReadIOCallback::EndOfStreamX(SizeRead); SizeList[Index] = FrameSize; Mem.Skip(SizeRead); LastBufferSize -= FrameSize + SizeRead;