[vlc-commits] contrib: matroska: do not use invalid lace sizes

Steve Lhomme git at videolan.org
Thu May 23 17:40:19 CEST 2019


vlc/vlc-3.0 | branch: master | Steve Lhomme <robux4 at ycbcr.xyz> | Mon Feb 11 12:17:53 2019 +0100| [334c428ecc6714f8cf279ef61b1ae57fef998065] | committer: Hugo Beauzée-Luyssen

contrib: matroska: do not use invalid lace sizes

https://hackerone.com/reports/493336

Signed-off-by: Hugo Beauzée-Luyssen <hugo at beauzee.fr>
(cherry picked from commit 289595cd896c92a04353db627cfa2fb13036b461)
Signed-off-by: Hugo Beauzée-Luyssen <hugo at beauzee.fr>

> http://git.videolan.org/gitweb.cgi/vlc/vlc-3.0.git/?a=commit;h=334c428ecc6714f8cf279ef61b1ae57fef998065
---

 ...-not-attempt-to-use-laced-sizes-that-are-.patch | 54 ++++++++++++++++++++++
 contrib/src/matroska/rules.mak                     |  1 +
 2 files changed, 55 insertions(+)

diff --git a/contrib/src/matroska/0001-KaxBlock-do-not-attempt-to-use-laced-sizes-that-are-.patch b/contrib/src/matroska/0001-KaxBlock-do-not-attempt-to-use-laced-sizes-that-are-.patch
new file mode 100644
index 0000000000..0ec07f6661
--- /dev/null
+++ b/contrib/src/matroska/0001-KaxBlock-do-not-attempt-to-use-laced-sizes-that-are-.patch
@@ -0,0 +1,54 @@
+From 1ec615ec2b825523ecb1132794bbe771d2817b70 Mon Sep 17 00:00:00 2001
+From: Steve Lhomme <robux4 at ycbcr.xyz>
+Date: Mon, 11 Feb 2019 12:15:58 +0100
+Subject: [PATCH] KaxBlock: do not attempt to use laced sizes that are clearly
+ invalid
+
+---
+ src/KaxBlock.cpp | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/src/KaxBlock.cpp b/src/KaxBlock.cpp
+index 878d9a2..a1df83e 100644
+--- a/src/KaxBlock.cpp
++++ b/src/KaxBlock.cpp
+@@ -628,7 +628,8 @@ filepos_t KaxInternalBlock::ReadData(IOCallback & input, ScopeMode ReadFully)
+       // put all Frames in the list
+       if (mLacing != LACING_NONE) {
+         // read the number of frames in the lace
+-        uint32 LastBufferSize = GetSize() - BlockHeadSize - 1; // 1 for number of frame
++        const uint32 TotalLacedSize = GetSize() - BlockHeadSize - 1; // 1 for number of frame
++        uint32 LastBufferSize = TotalLacedSize;
+         uint8 FrameNum = _TempHead[0]; // number of frames in the lace - 1
+         // read the list of frame sizes
+         uint8 Index;
+@@ -646,6 +647,8 @@ filepos_t KaxInternalBlock::ReadData(IOCallback & input, ScopeMode ReadFully)
+               do {
+                 Result += input.read(_TempHead, 1);
+                 FrameSize += uint8(_TempHead[0]);
++                if (FrameSize > TotalLacedSize)
++                    throw SafeReadIOCallback::EndOfStreamX(0);
+                 LastBufferSize--;
+ 
+                 FirstFrameLocation++;
+@@ -662,6 +665,8 @@ filepos_t KaxInternalBlock::ReadData(IOCallback & input, ScopeMode ReadFully)
+             cursor = _tmpBuf = new binary[FrameNum*4]; /// \warning assume the mean size will be coded in less than 4 bytes
+             Result += input.read(cursor, FrameNum*4);
+             FrameSize = ReadCodedSizeValue(cursor, SizeRead, SizeUnknown);
++            if (FrameSize > TotalLacedSize)
++                throw SafeReadIOCallback::EndOfStreamX(0);
+             SizeList[0] = FrameSize;
+             cursor += SizeRead;
+             LastBufferSize -= FrameSize + SizeRead;
+@@ -670,6 +675,8 @@ filepos_t KaxInternalBlock::ReadData(IOCallback & input, ScopeMode ReadFully)
+               // get the size of the frame
+               SizeRead = LastBufferSize;
+               FrameSize += ReadCodedSizeSignedValue(cursor, SizeRead, SizeUnknown);
++              if (FrameSize > TotalLacedSize)
++                  throw SafeReadIOCallback::EndOfStreamX(0);
+               SizeList[Index] = FrameSize;
+               cursor += SizeRead;
+               LastBufferSize -= FrameSize + SizeRead;
+-- 
+2.19.1.windows.1
+
diff --git a/contrib/src/matroska/rules.mak b/contrib/src/matroska/rules.mak
index 5ed287e465..66173290cf 100644
--- a/contrib/src/matroska/rules.mak
+++ b/contrib/src/matroska/rules.mak
@@ -19,6 +19,7 @@ $(TARBALLS)/libmatroska-$(MATROSKA_VERSION).tar.xz:
 libmatroska: libmatroska-$(MATROSKA_VERSION).tar.xz .sum-matroska
 	$(UNPACK)
 	$(APPLY) $(SRC)/matroska/0001-KaxBlock-don-t-reset-potentially-unallocated-memory.patch
+	$(APPLY) $(SRC)/matroska/0001-KaxBlock-do-not-attempt-to-use-laced-sizes-that-are-.patch
 	$(call pkg_static,"libmatroska.pc.in")
 	$(MOVE)
 



More information about the vlc-commits mailing list