[vlc-commits] contrib: matroska: do not use invalid lace sizes
Steve Lhomme
git at videolan.org
Thu May 23 17:40:19 CEST 2019
vlc/vlc-3.0 | branch: master | Steve Lhomme <robux4 at ycbcr.xyz> | Mon Feb 11 12:17:53 2019 +0100| [334c428ecc6714f8cf279ef61b1ae57fef998065] | committer: Hugo Beauzée-Luyssen
contrib: matroska: do not use invalid lace sizes
https://hackerone.com/reports/493336
Signed-off-by: Hugo Beauzée-Luyssen <hugo at beauzee.fr>
(cherry picked from commit 289595cd896c92a04353db627cfa2fb13036b461)
Signed-off-by: Hugo Beauzée-Luyssen <hugo at beauzee.fr>
> http://git.videolan.org/gitweb.cgi/vlc/vlc-3.0.git/?a=commit;h=334c428ecc6714f8cf279ef61b1ae57fef998065
---
...-not-attempt-to-use-laced-sizes-that-are-.patch | 54 ++++++++++++++++++++++
contrib/src/matroska/rules.mak | 1 +
2 files changed, 55 insertions(+)
diff --git a/contrib/src/matroska/0001-KaxBlock-do-not-attempt-to-use-laced-sizes-that-are-.patch b/contrib/src/matroska/0001-KaxBlock-do-not-attempt-to-use-laced-sizes-that-are-.patch
new file mode 100644
index 0000000000..0ec07f6661
--- /dev/null
+++ b/contrib/src/matroska/0001-KaxBlock-do-not-attempt-to-use-laced-sizes-that-are-.patch
@@ -0,0 +1,54 @@
+From 1ec615ec2b825523ecb1132794bbe771d2817b70 Mon Sep 17 00:00:00 2001
+From: Steve Lhomme <robux4 at ycbcr.xyz>
+Date: Mon, 11 Feb 2019 12:15:58 +0100
+Subject: [PATCH] KaxBlock: do not attempt to use laced sizes that are clearly
+ invalid
+
+---
+ src/KaxBlock.cpp | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/src/KaxBlock.cpp b/src/KaxBlock.cpp
+index 878d9a2..a1df83e 100644
+--- a/src/KaxBlock.cpp
++++ b/src/KaxBlock.cpp
+@@ -628,7 +628,8 @@ filepos_t KaxInternalBlock::ReadData(IOCallback & input, ScopeMode ReadFully)
+ // put all Frames in the list
+ if (mLacing != LACING_NONE) {
+ // read the number of frames in the lace
+- uint32 LastBufferSize = GetSize() - BlockHeadSize - 1; // 1 for number of frame
++ const uint32 TotalLacedSize = GetSize() - BlockHeadSize - 1; // 1 for number of frame
++ uint32 LastBufferSize = TotalLacedSize;
+ uint8 FrameNum = _TempHead[0]; // number of frames in the lace - 1
+ // read the list of frame sizes
+ uint8 Index;
+@@ -646,6 +647,8 @@ filepos_t KaxInternalBlock::ReadData(IOCallback & input, ScopeMode ReadFully)
+ do {
+ Result += input.read(_TempHead, 1);
+ FrameSize += uint8(_TempHead[0]);
++ if (FrameSize > TotalLacedSize)
++ throw SafeReadIOCallback::EndOfStreamX(0);
+ LastBufferSize--;
+
+ FirstFrameLocation++;
+@@ -662,6 +665,8 @@ filepos_t KaxInternalBlock::ReadData(IOCallback & input, ScopeMode ReadFully)
+ cursor = _tmpBuf = new binary[FrameNum*4]; /// \warning assume the mean size will be coded in less than 4 bytes
+ Result += input.read(cursor, FrameNum*4);
+ FrameSize = ReadCodedSizeValue(cursor, SizeRead, SizeUnknown);
++ if (FrameSize > TotalLacedSize)
++ throw SafeReadIOCallback::EndOfStreamX(0);
+ SizeList[0] = FrameSize;
+ cursor += SizeRead;
+ LastBufferSize -= FrameSize + SizeRead;
+@@ -670,6 +675,8 @@ filepos_t KaxInternalBlock::ReadData(IOCallback & input, ScopeMode ReadFully)
+ // get the size of the frame
+ SizeRead = LastBufferSize;
+ FrameSize += ReadCodedSizeSignedValue(cursor, SizeRead, SizeUnknown);
++ if (FrameSize > TotalLacedSize)
++ throw SafeReadIOCallback::EndOfStreamX(0);
+ SizeList[Index] = FrameSize;
+ cursor += SizeRead;
+ LastBufferSize -= FrameSize + SizeRead;
+--
+2.19.1.windows.1
+
diff --git a/contrib/src/matroska/rules.mak b/contrib/src/matroska/rules.mak
index 5ed287e465..66173290cf 100644
--- a/contrib/src/matroska/rules.mak
+++ b/contrib/src/matroska/rules.mak
@@ -19,6 +19,7 @@ $(TARBALLS)/libmatroska-$(MATROSKA_VERSION).tar.xz:
libmatroska: libmatroska-$(MATROSKA_VERSION).tar.xz .sum-matroska
$(UNPACK)
$(APPLY) $(SRC)/matroska/0001-KaxBlock-don-t-reset-potentially-unallocated-memory.patch
+ $(APPLY) $(SRC)/matroska/0001-KaxBlock-do-not-attempt-to-use-laced-sizes-that-are-.patch
$(call pkg_static,"libmatroska.pc.in")
$(MOVE)
More information about the vlc-commits
mailing list