KaxBlockInternal: check EBML lace sizes against available buffer space

ChangeLog

@@ -1,3 +1,13 @@
+2015-10-20  Moritz Bunkus  <moritz@bunkus.org>
+
+        * KaxInternalBlock::ReadData(): Fixed an invalid memory
+        access. When reading a block group or a simple block that uses
+        EBML lacing the frame sizes indicated in the lacing weren't
+        checked against the available number of bytes. If the indicated
+        frame size was bigger than the whole block's size the parser would
+        read beyond the end of the buffer resulting in a heap information
+        leak.
+
 2015-10-17  Moritz Bunkus  <moritz@bunkus.org>
 
         * Released v1.4.3.

src/KaxBlock.cpp

@@ -529,6 +529,8 @@ filepos_t KaxInternalBlock::ReadData(IOCallback & input, ScopeMode ReadFully)
           case LACING_EBML:
             SizeRead = LastBufferSize;
             FrameSize = ReadCodedSizeValue(BufferStart + Mem.GetPosition(), SizeRead, SizeUnknown);
+            if (!FrameSize || (static_cast<uint32>(FrameSize + SizeRead) > LastBufferSize))
+              throw SafeReadIOCallback::EndOfStreamX(SizeRead);
             SizeList[0] = FrameSize;
             Mem.Skip(SizeRead);
             LastBufferSize -= FrameSize + SizeRead;
@@ -537,6 +539,8 @@ filepos_t KaxInternalBlock::ReadData(IOCallback & input, ScopeMode ReadFully)
               // get the size of the frame
               SizeRead = LastBufferSize;
               FrameSize += ReadCodedSizeSignedValue(BufferStart + Mem.GetPosition(), SizeRead, SizeUnknown);
+              if (!FrameSize || (static_cast<uint32>(FrameSize + SizeRead) > LastBufferSize))
+                throw SafeReadIOCallback::EndOfStreamX(SizeRead);
               SizeList[Index] = FrameSize;
               Mem.Skip(SizeRead);
               LastBufferSize -= FrameSize + SizeRead;