Skip to content

Commit 0a2d3e3

Browse files
committed
KaxBlockInternal: check EBML lace sizes against available buffer space
1 parent 4934049 commit 0a2d3e3

File tree

2 files changed

+14
-0
lines changed

2 files changed

+14
-0
lines changed

Diff for: ChangeLog

+10
Original file line numberDiff line numberDiff line change
@@ -1,3 +1,13 @@
1+
2015-10-20 Moritz Bunkus <moritz@bunkus.org>
2+
3+
* KaxInternalBlock::ReadData(): Fixed an invalid memory
4+
access. When reading a block group or a simple block that uses
5+
EBML lacing the frame sizes indicated in the lacing weren't
6+
checked against the available number of bytes. If the indicated
7+
frame size was bigger than the whole block's size the parser would
8+
read beyond the end of the buffer resulting in a heap information
9+
leak.
10+
111
2015-10-17 Moritz Bunkus <moritz@bunkus.org>
212

313
* Released v1.4.3.

Diff for: src/KaxBlock.cpp

+4
Original file line numberDiff line numberDiff line change
@@ -529,6 +529,8 @@ filepos_t KaxInternalBlock::ReadData(IOCallback & input, ScopeMode ReadFully)
529529
case LACING_EBML:
530530
SizeRead = LastBufferSize;
531531
FrameSize = ReadCodedSizeValue(BufferStart + Mem.GetPosition(), SizeRead, SizeUnknown);
532+
if (!FrameSize || (static_cast<uint32>(FrameSize + SizeRead) > LastBufferSize))
533+
throw SafeReadIOCallback::EndOfStreamX(SizeRead);
532534
SizeList[0] = FrameSize;
533535
Mem.Skip(SizeRead);
534536
LastBufferSize -= FrameSize + SizeRead;
@@ -537,6 +539,8 @@ filepos_t KaxInternalBlock::ReadData(IOCallback & input, ScopeMode ReadFully)
537539
// get the size of the frame
538540
SizeRead = LastBufferSize;
539541
FrameSize += ReadCodedSizeSignedValue(BufferStart + Mem.GetPosition(), SizeRead, SizeUnknown);
542+
if (!FrameSize || (static_cast<uint32>(FrameSize + SizeRead) > LastBufferSize))
543+
throw SafeReadIOCallback::EndOfStreamX(SizeRead);
540544
SizeList[Index] = FrameSize;
541545
Mem.Skip(SizeRead);
542546
LastBufferSize -= FrameSize + SizeRead;

0 commit comments

Comments
 (0)