From 37cf4d8f6d33ff2d3edbe896b8fe8e6299d2f6fd Mon Sep 17 00:00:00 2001
From: Philip Deljanov <philip.deljanov@gmail.com>
Date: Wed, 21 Feb 2024 20:21:14 -0500
Subject: [PATCH] mkv: Return error instead of panicing when reading the wrong
 EBML element.

The SeekHeadElement may contain an invalid element type and position
pair. We can't assume what we are reading at the the position is
the stated element type. Since this was an assertion a malicious or
broken file could trigger it. Return an error instead.

Fixes #201.
---
 symphonia-format-mkv/src/demuxer.rs |  4 ++++
 symphonia-format-mkv/src/ebml.rs    | 10 +++++-----
 2 files changed, 9 insertions(+), 5 deletions(-)

diff --git a/symphonia-format-mkv/src/demuxer.rs b/symphonia-format-mkv/src/demuxer.rs
index 80364e29..ddab18e5 100644
--- a/symphonia-format-mkv/src/demuxer.rs
+++ b/symphonia-format-mkv/src/demuxer.rs
@@ -390,6 +390,10 @@ impl FormatReader for MkvReader {
 
             for (etype, pos) in seek_positions {
                 it.seek(pos)?;
+
+                // Safety: The element type or position may be incorrect. The element iterator will
+                // validate the type (as declared in the header) of the element at the seeked
+                // position against the element type asked to be read.
                 match etype {
                     ElementType::Tracks => {
                         segment_tracks = Some(it.read_element::<TracksElement>()?);
diff --git a/symphonia-format-mkv/src/ebml.rs b/symphonia-format-mkv/src/ebml.rs
index 3092ee6c..e814831c 100644
--- a/symphonia-format-mkv/src/ebml.rs
+++ b/symphonia-format-mkv/src/ebml.rs
@@ -341,11 +341,11 @@ impl<R: ReadBytes> ElementIterator<R> {
     /// [Self::read_header] or [Self::read_child_header].
     pub(crate) fn read_element_data<E: Element>(&mut self) -> Result<E> {
         let header = self.current.expect("EBML header must be read before calling this function");
-        assert_eq!(
-            header.etype,
-            E::ID,
-            "EBML element type must be checked before calling this function"
-        );
+
+        // Ensure the EBML element header has the same element type as the one being read.
+        if header.etype != E::ID {
+            return decode_error("mkv: unexpected EBML element");
+        }
 
         let element = E::read(&mut self.reader, header)?;
         // Update position to match the position element reader finished at