EbmlMaster: propagate upper level element after infinite sized one co…

…rrectly When the parser encountered a deeply nested element with an infinite size then a following element of an upper level was not propagated correctly. Instead the element with the infinite size was added into the EBML element tree a second time resulting in memory access after freeing it and multiple attempts to free the same memory address during destruction. Fixes the issue reported as Cisco TALOS-CAN-0037.
Matroska-Org · Oct 20, 2015 · 88409e2 · 88409e2
1 parent 24e5cd7
commit 88409e2
Show file tree

Hide file tree

Showing 2 changed files with 16 additions and 0 deletions.
diff --git a/ChangeLog b/ChangeLog
@@ -1,5 +1,13 @@
 2015-10-20  Moritz Bunkus  <moritz@bunkus.org>
 
+        * EbmlMaster::Read(): When the parser encountered a deeply nested
+        element with an infinite size then a following element of an upper
+        level was not propagated correctly. Instead the element with the
+        infinite size was added into the EBML element tree a second time
+        resulting in memory access after freeing it and multiple attempts
+        to free the same memory address during destruction. Fixes the
+        issue reported as Cisco TALOS-CAN-0037.
+
         * EbmlElement::ReadCodedSizeValue(): Fixed an invalid memory
         access. When reading a EBML variable length integer value a read
         access beyond the end of the available buffer was possible if

diff --git a/src/EbmlMaster.cpp b/src/EbmlMaster.cpp
@@ -454,6 +454,14 @@ void EbmlMaster::Read(EbmlStream & inDataStream, const EbmlSemanticContext & sCo
         } else {
           if (DeleteElement)
             delete ElementLevelA;
+
+          if (UpperEltFound) {
+            --UpperEltFound;
+            if (UpperEltFound > 0 || MaxSizeToRead <= 0)
+              goto processCrc;
+            ElementLevelA = FoundElt;
+          }
+
           break;
         }
       }