[vlc-commits] mkv: Improve PCI events handling

[Hugo Beauzée-Luyssen]

vlc/vlc-3.0 | branch: master | Hugo Beauzée-Luyssen <hugo at beauzee.fr> | Tue Aug 13 16:25:53 2019 +0200| [78af05d741ea0c48202bfa9e4f4d2a1a9b75e9a5] | committer: Hugo Beauzée-Luyssen

mkv: Improve PCI events handling

CVE-2019-14970
(manually cherry picked from commit
51450a0f3c5c6a0fefc5ae25f35fe34ef3484af0)

> http://git.videolan.org/gitweb.cgi/vlc/vlc-3.0.git/?a=commit;h=78af05d741ea0c48202bfa9e4f4d2a1a9b75e9a5
---

 modules/demux/mkv/demux.cpp | 5 +++--
 modules/demux/mkv/mkv.cpp   | 3 ++-
 2 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/modules/demux/mkv/demux.cpp b/modules/demux/mkv/demux.cpp
index 3efb97f0b5..6fa2418dd2 100644
--- a/modules/demux/mkv/demux.cpp
+++ b/modules/demux/mkv/demux.cpp
@@ -46,10 +46,11 @@ void event_thread_t::SetPci(const pci_t *data)
 {
     vlc_mutex_locker l(&lock);
 
-    pci_packet = *data;
+    memcpy(&pci_packet, data, sizeof(pci_packet));
 
 #ifndef WORDS_BIGENDIAN
-    for( uint8_t button = 1; button <= pci_packet.hli.hl_gi.btn_ns; button++) {
+    for( uint8_t button = 1; button <= pci_packet.hli.hl_gi.btn_ns &&
+         button < ARRAY_SIZE(pci_packet.hli.btnit); button++) {
         btni_t *button_ptr = &(pci_packet.hli.btnit[button-1]);
         binary *p_data = (binary*) button_ptr;
 
diff --git a/modules/demux/mkv/mkv.cpp b/modules/demux/mkv/mkv.cpp
index 5cb3f7ea95..87a8736d16 100644
--- a/modules/demux/mkv/mkv.cpp
+++ b/modules/demux/mkv/mkv.cpp
@@ -638,7 +638,8 @@ void BlockDecode( demux_t *p_demux, KaxBlock *block, KaxSimpleBlock *simpleblock
             if ( track.fmt.i_cat == DATA_ES )
             {
                 // TODO handle the start/stop times of this packet
-                p_sys->p_ev->SetPci( (const pci_t *)&p_block->p_buffer[1]);
+                if( p_block->i_size >= sizeof(pci_t))
+                    p_sys->p_ev->SetPci( (const pci_t *)&p_block->p_buffer[1]);
                 block_Release( p_block );
                 return;
             }