[vlc-commits] Fix a crash with corrupted MKV
Denis Charmet
git at videolan.org
Wed Dec 28 01:39:55 CET 2011
vlc/vlc-1.2 | branch: master | Denis Charmet <typx at dinauz.org> | Mon Dec 26 00:39:13 2011 +0100| [c9cb2b7ec9635d25c00fb35bd2506ed92a15f201] | committer: Jean-Baptiste Kempf
Fix a crash with corrupted MKV
If the blocksize is corrupted and has a lace, you may have a buffer overflow. Should fix #5658.
Signed-off-by: Jean-Baptiste Kempf <jb at videolan.org>
(cherry picked from commit 61d512e93967a2b8e8ac6212de9f6c2db94bcc69)
Signed-off-by: Jean-Baptiste Kempf <jb at videolan.org>
> http://git.videolan.org/gitweb.cgi/vlc/vlc-1.2.git/?a=commit;h=c9cb2b7ec9635d25c00fb35bd2506ed92a15f201
---
modules/demux/mkv/mkv.cpp | 15 ++++++++++++++-
1 files changed, 14 insertions(+), 1 deletions(-)
diff --git a/modules/demux/mkv/mkv.cpp b/modules/demux/mkv/mkv.cpp
index a350a43..5f52656 100644
--- a/modules/demux/mkv/mkv.cpp
+++ b/modules/demux/mkv/mkv.cpp
@@ -520,6 +520,14 @@ void BlockDecode( demux_t *p_demux, KaxBlock *block, KaxSimpleBlock *simpleblock
tk->b_inited = true;
+ size_t frame_size = 0;
+ size_t block_size = 0;
+
+ if( simpleblock != NULL )
+ block_size = simpleblock->GetSize();
+ else
+ block_size = block->GetSize();
+
for( unsigned int i = 0;
( block != NULL && i < block->NumberFrames()) || ( simpleblock != NULL && i < simpleblock->NumberFrames() );
i++ )
@@ -535,9 +543,14 @@ void BlockDecode( demux_t *p_demux, KaxBlock *block, KaxSimpleBlock *simpleblock
else
{
data = &block->GetBuffer(i);
+ // condition when the DTS is correct (keyframe or B frame == NOT P frame)
}
- if( !data->Buffer() || data->Size() > SIZE_MAX )
+ frame_size += data->Size();
+ if( !data->Buffer() || data->Size() > SIZE_MAX || frame_size > block_size )
+ {
+ msg_Warn( p_demux, "Cannot read frame (too long or no frame)" );
break;
+ }
if( tk->i_compression_type == MATROSKA_COMPRESSION_HEADER && tk->p_compression_data != NULL )
p_block = MemToBlock( data->Buffer(), data->Size(), tk->p_compression_data->GetSize() );
More information about the vlc-commits
mailing list