Skip to content
Permalink
Browse files Browse the repository at this point in the history
EbmlElement: don't read beyond end of buffer when reading variable le…
…ngth integers
  • Loading branch information
mbunkus committed Oct 20, 2015
1 parent 12b560a commit 24e5cd7
Show file tree
Hide file tree
Showing 2 changed files with 11 additions and 0 deletions.
6 changes: 6 additions & 0 deletions ChangeLog
@@ -1,5 +1,11 @@
2015-10-20 Moritz Bunkus <moritz@bunkus.org>

* EbmlElement::ReadCodedSizeValue(): Fixed an invalid memory
access. When reading a EBML variable length integer value a read
access beyond the end of the available buffer was possible if
fewer bytes were available than indicated by the first byte
resulting in a heap information leak.

* EbmlUnicodeString::UpdateFromUTF8(): Fixed an invalid memory
access. When reading from a UTF-8 string in which the length
indicated by a UTF-8 character's first byte exceeds the string's
Expand Down
5 changes: 5 additions & 0 deletions src/EbmlElement.cpp
Expand Up @@ -150,6 +150,11 @@ uint64 ReadCodedSizeValue(const binary * InBuffer, uint32 & BufferSize, uint64 &
// ID found
PossibleSizeLength = SizeIdx + 1;
SizeBitMask >>= SizeIdx;

// Guard against invalid memory accesses with incomplete IDs.
if (PossibleSizeLength > BufferSize)
break;

for (SizeIdx = 0; SizeIdx < PossibleSizeLength; SizeIdx++) {
PossibleSize[SizeIdx] = InBuffer[SizeIdx];
}
Expand Down

0 comments on commit 24e5cd7

Please sign in to comment.