[vlc-commits] better size checking of EBML elements before we read them

Steve Lhomme git at videolan.org
Mon Feb 23 10:42:49 CET 2015


vlc | branch: master | Steve Lhomme <robux4 at gmail.com> | Mon Feb 23 10:34:01 2015 +0100| [d7ddde73897e45011c8e1ad36d359e99801bcf6c] | committer: Jean-Baptiste Kempf

better size checking of EBML elements before we read them

Signed-off-by: Jean-Baptiste Kempf <jb at videolan.org>

> http://git.videolan.org/gitweb.cgi/vlc.git/?a=commit;h=d7ddde73897e45011c8e1ad36d359e99801bcf6c
---

 modules/demux/mkv/demux.cpp                  |    2 +-
 modules/demux/mkv/matroska_segment.cpp       |   14 ++++++++------
 modules/demux/mkv/matroska_segment_parse.cpp |   14 +++++++-------
 3 files changed, 16 insertions(+), 14 deletions(-)

diff --git a/modules/demux/mkv/demux.cpp b/modules/demux/mkv/demux.cpp
index 1feca55..21618f4 100644
--- a/modules/demux/mkv/demux.cpp
+++ b/modules/demux/mkv/demux.cpp
@@ -519,7 +519,7 @@ matroska_stream_c *demux_sys_t::AnalyseAllSegmentsFound( demux_t *p_demux, EbmlS
                     // find the families of this segment
                     KaxInfo *p_info = static_cast<KaxInfo*>(p_l1);
                     b_keep_segment = b_initial;
-                    if( unlikely( p_info->GetSize() >= SIZE_MAX ) )
+                    if( unlikely( p_info->IsFiniteSize() && p_info->GetSize() >= SIZE_MAX ) )
                     {
                         msg_Err( p_demux, "KaxInfo too big aborting" );
                         break;
diff --git a/modules/demux/mkv/matroska_segment.cpp b/modules/demux/mkv/matroska_segment.cpp
index df24096..966d6aa 100644
--- a/modules/demux/mkv/matroska_segment.cpp
+++ b/modules/demux/mkv/matroska_segment.cpp
@@ -139,7 +139,7 @@ void matroska_segment_c::LoadCues( KaxCues *cues )
                     KaxCueTime &ctime = *(KaxCueTime*)el;
                     try
                     {
-                        if( unlikely( ctime.GetSize() >= SIZE_MAX ) )
+                        if( unlikely( !ctime.ValidateSize() ) )
                         {
                             msg_Err( &sys.demuxer, "CueTime size too big");
                             b_invalid_cue = true;
@@ -162,7 +162,7 @@ void matroska_segment_c::LoadCues( KaxCues *cues )
                     {
                         while( ( el = ep->Get() ) != NULL )
                         {
-                            if( unlikely( el->GetSize() >= SIZE_MAX ) )
+                            if( unlikely( !el->ValidateSize() ) )
                             {
                                 ep->Up();
                                 msg_Err( &sys.demuxer, "Error %s too big, aborting", typeid(*el).name() );
@@ -296,7 +296,7 @@ SimpleTag * matroska_segment_c::ParseSimpleTags( KaxTagSimple *tag, int target_t
     {
         while( ( el = ep->Get() ) != NULL && size < max_size)
         {
-            if( unlikely( el->GetSize() >= SIZE_MAX ) )
+            if( unlikely( !el->ValidateSize() ) )
             {
                 msg_Err( &sys.demuxer, "Error %s too big ignoring the tag", typeid(*el).name() );
                 delete ep;
@@ -409,7 +409,7 @@ void matroska_segment_c::LoadTags( KaxTags *tags )
                     {
                         try
                         {
-                            if( unlikely( el->GetSize() >= SIZE_MAX ) )
+                            if( unlikely( !el->ValidateSize() ) )
                             {
                                 msg_Err( &sys.demuxer, "Invalid size while reading tag");
                                 break;
@@ -1351,7 +1351,8 @@ int matroska_segment_c::BlockGet( KaxBlock * & pp_block, KaxSimpleBlock * & pp_s
                     }
                     break;
                 case 2:
-                    if( unlikely( el->GetSize() >= SIZE_MAX ) )
+                    if( unlikely( !el->ValidateSize() ||
+                                  ( el->IsFiniteSize() && el->GetSize() >= SIZE_MAX ) ) )
                     {
                         msg_Err( &sys.demuxer, "Error while reading %s... upping level", typeid(*el).name());
                         ep->Up();
@@ -1388,7 +1389,8 @@ int matroska_segment_c::BlockGet( KaxBlock * & pp_block, KaxSimpleBlock * & pp_s
                     }
                     break;
                 case 3:
-                    if( unlikely( el->GetSize() >= SIZE_MAX ) )
+                    if( unlikely( !el->ValidateSize() ||
+                                  ( el->IsFiniteSize() && el->GetSize() >= SIZE_MAX ) ) )
                     {
                         msg_Err( &sys.demuxer, "Error while reading %s... upping level", typeid(*el).name());
                         ep->Up();
diff --git a/modules/demux/mkv/matroska_segment_parse.cpp b/modules/demux/mkv/matroska_segment_parse.cpp
index 751c824..1b07452 100644
--- a/modules/demux/mkv/matroska_segment_parse.cpp
+++ b/modules/demux/mkv/matroska_segment_parse.cpp
@@ -93,7 +93,7 @@ void matroska_segment_c::ParseSeekHead( KaxSeekHead *seekhead )
             {
                 while( ( l = ep->Get() ) != NULL )
                 {
-                    if( unlikely( l->GetSize() >= SIZE_MAX ) )
+                    if( unlikely( !l->ValidateSize() ) )
                     {
                         msg_Err( &sys.demuxer,"%s too big... skipping it",  typeid(*l).name() );
                         continue;
@@ -745,7 +745,7 @@ void matroska_segment_c::ParseTracks( KaxTracks *tracks )
     int i_upper_level = 0;
 
     /* Master elements */
-    if( unlikely( tracks->GetSize() >= SIZE_MAX ) )
+    if( unlikely( tracks->IsFiniteSize() && tracks->GetSize() >= SIZE_MAX ) )
     {
         msg_Err( &sys.demuxer, "Track too big, aborting" );
         return;
@@ -786,7 +786,7 @@ void matroska_segment_c::ParseInfo( KaxInfo *info )
 
     /* Master elements */
     m = static_cast<EbmlMaster *>(info);
-    if( unlikely( m->GetSize() >= SIZE_MAX ) )
+    if( unlikely( m->IsFiniteSize() && m->GetSize() >= SIZE_MAX ) )
     {
         msg_Err( &sys.demuxer, "Info too big, aborting" );
         return;
@@ -914,7 +914,7 @@ void matroska_segment_c::ParseInfo( KaxInfo *info )
             KaxChapterTranslate *p_trans = static_cast<KaxChapterTranslate*>( l );
             try
             {
-                if( unlikely( p_trans->GetSize() >= SIZE_MAX ) )
+                if( unlikely( p_trans->IsFiniteSize() && p_trans->GetSize() >= SIZE_MAX ) )
                 {
                     msg_Err( &sys.demuxer, "Chapter translate too big, aborting" );
                     continue;
@@ -1108,7 +1108,7 @@ void matroska_segment_c::ParseAttachments( KaxAttachments *attachments )
     EbmlElement *el;
     int i_upper_level = 0;
 
-    if( unlikely( attachments->GetSize() >= SIZE_MAX ) )
+    if( unlikely( attachments->IsFiniteSize() && attachments->GetSize() >= SIZE_MAX ) )
     {
         msg_Err( &sys.demuxer, "Attachments too big, aborting" );
         return;
@@ -1171,7 +1171,7 @@ void matroska_segment_c::ParseChapters( KaxChapters *chapters )
     int i_upper_level = 0;
 
     /* Master elements */
-    if( unlikely( chapters->GetSize() >= SIZE_MAX ) )
+    if( unlikely( chapters->IsFiniteSize() && chapters->GetSize() >= SIZE_MAX ) )
     {
         msg_Err( &sys.demuxer, "Chapters too big, aborting" );
         return;
@@ -1245,7 +1245,7 @@ void matroska_segment_c::ParseCluster( KaxCluster *cluster, bool b_update_start_
 
     /* Master elements */
     m = static_cast<EbmlMaster *>( cluster );
-    if( unlikely( m->GetSize() >= SIZE_MAX ) )
+    if( unlikely( m->IsFiniteSize() && m->GetSize() >= SIZE_MAX ) )
     {
         msg_Err( &sys.demuxer, "Cluster too big, aborting" );
         return;



More information about the vlc-commits mailing list