Skip to content
Permalink
Browse files

EbmlElement: don't read beyond end of buffer when reading variable le…

…ngth integers
  • Loading branch information...
mbunkus committed Oct 20, 2015
1 parent 12b560a commit 24e5cd7c666b1ddd85619d60486db0a5481c1b90
Showing with 11 additions and 0 deletions.
  1. +6 −0 ChangeLog
  2. +5 −0 src/EbmlElement.cpp
@@ -1,5 +1,11 @@
2015-10-20 Moritz Bunkus <moritz@bunkus.org>

* EbmlElement::ReadCodedSizeValue(): Fixed an invalid memory
access. When reading a EBML variable length integer value a read
access beyond the end of the available buffer was possible if
fewer bytes were available than indicated by the first byte
resulting in a heap information leak.

* EbmlUnicodeString::UpdateFromUTF8(): Fixed an invalid memory
access. When reading from a UTF-8 string in which the length
indicated by a UTF-8 character's first byte exceeds the string's
@@ -150,6 +150,11 @@ uint64 ReadCodedSizeValue(const binary * InBuffer, uint32 & BufferSize, uint64 &
// ID found
PossibleSizeLength = SizeIdx + 1;
SizeBitMask >>= SizeIdx;

// Guard against invalid memory accesses with incomplete IDs.
if (PossibleSizeLength > BufferSize)
break;

for (SizeIdx = 0; SizeIdx < PossibleSizeLength; SizeIdx++) {
PossibleSize[SizeIdx] = InBuffer[SizeIdx];
}

0 comments on commit 24e5cd7

Please sign in to comment.
You can’t perform that action at this time.