[vlc-commits] contrib:ebml: Fix the boundary check when there's error in the data

Wed Jan 24 08:46:34 CET 2018

vlc/vlc-3.0 | branch: master | Steve Lhomme <robux4 at ycbcr.xyz> | Tue Jan 23 15:45:23 2018 +0100| [94536b05b2973c9fb7eee1eb79cff0a534d4e6cf] | committer: Jean-Baptiste Kempf

contrib:ebml: Fix the boundary check when there's error in the data

Fixes some crashes.

(cherry picked from commit ff0d2f1c9d3e9c5369a862f818b93ee11be131d5)
Signed-off-by: Jean-Baptiste Kempf <jb at videolan.org>

> http://git.videolan.org/gitweb.cgi/vlc/vlc-3.0.git/?a=commit;h=94536b05b2973c9fb7eee1eb79cff0a534d4e6cf
---

 contrib/src/ebml/ebml-end-boundary.patch | 66 ++++++++++++++++++++++++++++++++
 contrib/src/ebml/rules.mak               |  1 +
 2 files changed, 67 insertions(+)

diff --git a/contrib/src/ebml/ebml-end-boundary.patch b/contrib/src/ebml/ebml-end-boundary.patch
new file mode 100644
index 0000000000..d122ad8df9
--- /dev/null
+++ b/contrib/src/ebml/ebml-end-boundary.patch
@@ -0,0 +1,66 @@
+From 534dfdb995edc18e528de8ce9fa20b3df88426ae Mon Sep 17 00:00:00 2001
+From: Steve Lhomme <slhomme at matroska.org>
+Date: Tue, 23 Jan 2018 15:28:09 +0100
+Subject: [PATCH] Rework the way we look at the end boundary when looking an
+ element in a parent
+
+The test `MaxDataSize >= (PossibleID_Length + PossibleSizeLength + SizeFound)`
+is incorrect when there was garbage data skipped inside the PossibleIdNLength
+table.
+
+Now we keep track of how many memmove we had to do to know the real position of
+the PossibleIdNLength data since we started reading. That allows a proper check
+on the end value since that start.
+---
+ src/EbmlElement.cpp | 12 ++++++++----
+ 1 file changed, 8 insertions(+), 4 deletions(-)
+
+diff --git a/src/EbmlElement.cpp b/src/EbmlElement.cpp
+index 061074b..871247c 100644
+--- libebml-1.3.5/src/EbmlElement.cpp	2018-01-23 15:40:57.156285900 +0100
++++ libebml-1.3.5/src/EbmlElement.cpp.bound	2018-01-23 15:41:51.547866500 +0100
+@@ -372,11 +372,12 @@ EbmlElement * EbmlElement::FindNextEleme
+   int PossibleSizeLength;
+   uint64 SizeUnknown;
+   int ReadIndex = 0; // trick for the algo, start index at 0
+-  uint32 ReadSize = 0;
++  uint32 ReadSize = 0, IdStart = 0;
+   uint64 SizeFound;
+   int SizeIdx;
+   bool bFound;
+   int UpperLevel_original = UpperLevel;
++  uint64 ParseStart = DataStream.getFilePointer();
+ 
+   do {
+     // read a potential ID
+@@ -402,6 +403,7 @@ EbmlElement * EbmlElement::FindNextEleme
+         // ID not found
+         // shift left the read octets
+         memmove(&PossibleIdNSize[0],&PossibleIdNSize[1], --ReadIndex);
++        IdStart++;
+       }
+ 
+       if (MaxDataSize <= ReadSize)
+@@ -460,10 +462,11 @@ EbmlElement * EbmlElement::FindNextEleme
+           //  0 : child
+           //  1 : same level
+           //  + : further parent
+-          if (Result->ValidateSize() && (SizeFound == SizeUnknown || UpperLevel > 0 || MaxDataSize == 0 || MaxDataSize >= (PossibleID_Length + PossibleSizeLength + SizeFound))) {
++          if (Result->ValidateSize() && (SizeFound == SizeUnknown || UpperLevel > 0 || MaxDataSize == 0 ||
++                                         MaxDataSize >= (IdStart + PossibleID_Length + _SizeLength + SizeFound))) {
+             if (SizeFound != SizeUnknown || Result->SetSizeInfinite()) {
+-              Result->SizePosition = DataStream.getFilePointer() - SizeIdx + EBML_ID_LENGTH(PossibleID);
+-              Result->ElementPosition = Result->SizePosition - EBML_ID_LENGTH(PossibleID);
++              Result->ElementPosition = ParseStart + IdStart;
++              Result->SizePosition = Result->ElementPosition + PossibleID_Length;
+               // place the file at the beggining of the data
+               DataStream.setFilePointer(Result->SizePosition + _SizeLength);
+               return Result;
+@@ -477,6 +480,7 @@ EbmlElement * EbmlElement::FindNextEleme
+     // recover all the data in the buffer minus one byte
+     ReadIndex = SizeIdx - 1;
+     memmove(&PossibleIdNSize[0], &PossibleIdNSize[1], ReadIndex);
++    IdStart++;
+     UpperLevel = UpperLevel_original;
+   } while ( MaxDataSize >= ReadSize );
+ 
diff --git a/contrib/src/ebml/rules.mak b/contrib/src/ebml/rules.mak
index 039c9283c8..e916559166 100644
--- a/contrib/src/ebml/rules.mak
+++ b/contrib/src/ebml/rules.mak
@@ -17,6 +17,7 @@ ebml: libebml-$(EBML_VERSION).tar.xz .sum-ebml
 	$(APPLY) $(SRC)/ebml/ebml-maxread.patch
 	$(APPLY) $(SRC)/ebml/unknown-check.patch
 	$(APPLY) $(SRC)/ebml/max-size-loop.patch
+	$(APPLY) $(SRC)/ebml/ebml-end-boundary.patch
 	$(MOVE)
 
 # libebml requires exceptions

