Skip to content

Commit 24e5cd7

Browse files
committed
EbmlElement: don't read beyond end of buffer when reading variable length integers
1 parent 12b560a commit 24e5cd7

File tree

2 files changed

+11
-0
lines changed

2 files changed

+11
-0
lines changed

Diff for: ChangeLog

+6
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,11 @@
11
2015-10-20 Moritz Bunkus <moritz@bunkus.org>
22

3+
* EbmlElement::ReadCodedSizeValue(): Fixed an invalid memory
4+
access. When reading a EBML variable length integer value a read
5+
access beyond the end of the available buffer was possible if
6+
fewer bytes were available than indicated by the first byte
7+
resulting in a heap information leak.
8+
39
* EbmlUnicodeString::UpdateFromUTF8(): Fixed an invalid memory
410
access. When reading from a UTF-8 string in which the length
511
indicated by a UTF-8 character's first byte exceeds the string's

Diff for: src/EbmlElement.cpp

+5
Original file line numberDiff line numberDiff line change
@@ -150,6 +150,11 @@ uint64 ReadCodedSizeValue(const binary * InBuffer, uint32 & BufferSize, uint64 &
150150
// ID found
151151
PossibleSizeLength = SizeIdx + 1;
152152
SizeBitMask >>= SizeIdx;
153+
154+
// Guard against invalid memory accesses with incomplete IDs.
155+
if (PossibleSizeLength > BufferSize)
156+
break;
157+
153158
for (SizeIdx = 0; SizeIdx < PossibleSizeLength; SizeIdx++) {
154159
PossibleSize[SizeIdx] = InBuffer[SizeIdx];
155160
}

0 commit comments

Comments
 (0)