[vlc-commits] mkv: Improve PCI events handling
Hugo Beauzée-Luyssen
git at videolan.org
Wed Aug 14 18:13:34 CEST 2019
vlc | branch: master | Hugo Beauzée-Luyssen <hugo at beauzee.fr> | Mon Aug 12 11:45:46 2019 +0200| [51450a0f3c5c6a0fefc5ae25f35fe34ef3484af0] | committer: Hugo Beauzée-Luyssen
mkv: Improve PCI events handling
CVE-2019-14970
> http://git.videolan.org/gitweb.cgi/vlc.git/?a=commit;h=51450a0f3c5c6a0fefc5ae25f35fe34ef3484af0
---
modules/demux/mkv/events.cpp | 5 +++--
modules/demux/mkv/mkv.cpp | 3 ++-
2 files changed, 5 insertions(+), 3 deletions(-)
diff --git a/modules/demux/mkv/events.cpp b/modules/demux/mkv/events.cpp
index 12f6c430e6..93cf963340 100644
--- a/modules/demux/mkv/events.cpp
+++ b/modules/demux/mkv/events.cpp
@@ -50,10 +50,11 @@ void event_thread_t::SetPci(const pci_t *data)
{
vlc_mutex_locker l(&lock);
- pci_packet = *data;
+ memcpy(&pci_packet, data, sizeof(pci_packet));
#ifndef WORDS_BIGENDIAN
- for( uint8_t button = 1; button <= pci_packet.hli.hl_gi.btn_ns; button++) {
+ for( uint8_t button = 1; button <= pci_packet.hli.hl_gi.btn_ns &&
+ button < ARRAY_SIZE(pci_packet.hli.btnit); button++) {
btni_t *button_ptr = &(pci_packet.hli.btnit[button-1]);
binary *p_data = (binary*) button_ptr;
diff --git a/modules/demux/mkv/mkv.cpp b/modules/demux/mkv/mkv.cpp
index 1b055ce7f3..b7d8b3f95a 100644
--- a/modules/demux/mkv/mkv.cpp
+++ b/modules/demux/mkv/mkv.cpp
@@ -668,7 +668,8 @@ void BlockDecode( demux_t *p_demux, KaxBlock *block, KaxSimpleBlock *simpleblock
if ( track.fmt.i_cat == DATA_ES )
{
// TODO handle the start/stop times of this packet
- p_sys->ev.SetPci( (const pci_t *)&p_block->p_buffer[1]);
+ if( p_block->i_size >= sizeof(pci_t))
+ p_sys->ev.SetPci( (const pci_t *)&p_block->p_buffer[1]);
block_Release( p_block );
return;
}
More information about the vlc-commits
mailing list