Skip to content

Commit 88409e2

Browse files
committed
EbmlMaster: propagate upper level element after infinite sized one correctly
When the parser encountered a deeply nested element with an infinite size then a following element of an upper level was not propagated correctly. Instead the element with the infinite size was added into the EBML element tree a second time resulting in memory access after freeing it and multiple attempts to free the same memory address during destruction. Fixes the issue reported as Cisco TALOS-CAN-0037.
1 parent 24e5cd7 commit 88409e2

File tree

2 files changed

+16
-0
lines changed

2 files changed

+16
-0
lines changed

Diff for: ChangeLog

+8
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,13 @@
11
2015-10-20 Moritz Bunkus <moritz@bunkus.org>
22

3+
* EbmlMaster::Read(): When the parser encountered a deeply nested
4+
element with an infinite size then a following element of an upper
5+
level was not propagated correctly. Instead the element with the
6+
infinite size was added into the EBML element tree a second time
7+
resulting in memory access after freeing it and multiple attempts
8+
to free the same memory address during destruction. Fixes the
9+
issue reported as Cisco TALOS-CAN-0037.
10+
311
* EbmlElement::ReadCodedSizeValue(): Fixed an invalid memory
412
access. When reading a EBML variable length integer value a read
513
access beyond the end of the available buffer was possible if

Diff for: src/EbmlMaster.cpp

+8
Original file line numberDiff line numberDiff line change
@@ -454,6 +454,14 @@ void EbmlMaster::Read(EbmlStream & inDataStream, const EbmlSemanticContext & sCo
454454
} else {
455455
if (DeleteElement)
456456
delete ElementLevelA;
457+
458+
if (UpperEltFound) {
459+
--UpperEltFound;
460+
if (UpperEltFound > 0 || MaxSizeToRead <= 0)
461+
goto processCrc;
462+
ElementLevelA = FoundElt;
463+
}
464+
457465
break;
458466
}
459467
}

0 commit comments

Comments
 (0)