[vlc-commits] [Git][videolan/vlc][master] contrib: matroska: fix leak when EBML lacing reading is aborted

Mon Oct 27 21:08:53 UTC 2025


Steve Lhomme pushed to branch master at VideoLAN / VLC


Commits:
48ea57b3 by Steve Lhomme at 2025-10-27T20:35:22+00:00
contrib: matroska: fix leak when EBML lacing reading is aborted

Fixes oss-fuzz 6656524064980992.

- - - - -


2 changed files:

- + contrib/src/matroska/0001-KaxBlock-fix-leak-when-reading-EBML-lace-is-aborted.patch
- contrib/src/matroska/rules.mak


Changes:

=====================================
contrib/src/matroska/0001-KaxBlock-fix-leak-when-reading-EBML-lace-is-aborted.patch
=====================================
@@ -0,0 +1,59 @@
+From 9070393b99a801251ea55125c5236b5600a37eb9 Mon Sep 17 00:00:00 2001
+From: Steve Lhomme <slhomme at matroska.org>
+Date: Fri, 24 Oct 2025 11:18:54 +0200
+Subject: [PATCH] KaxBlock: fix leak when reading EBML lace is aborted
+
+---
+ src/KaxBlock.cpp | 11 +++++++----
+ 1 file changed, 7 insertions(+), 4 deletions(-)
+
+diff --git a/src/KaxBlock.cpp b/src/KaxBlock.cpp
+index fd37ad5..29073b5 100644
+--- a/src/KaxBlock.cpp
++++ b/src/KaxBlock.cpp
+@@ -44,6 +44,8 @@
+ #include "matroska/KaxCluster.h"
+ #include "matroska/KaxDefines.h"
+ 
++#include <memory>
++
+ namespace libmatroska {
+ 
+ DataBuffer * DataBuffer::Clone()
+@@ -582,7 +584,6 @@ filepos_t KaxInternalBlock::ReadData(IOCallback & input, ScopeMode ReadFully)
+       if (Result != 5)
+         throw SafeReadIOCallback::EndOfStreamX(0);
+       binary *cursor = _TempHead;
+-      binary *_tmpBuf;
+       uint8 BlockHeadSize = 4;
+ 
+       // update internal values
+@@ -656,8 +657,10 @@ filepos_t KaxInternalBlock::ReadData(IOCallback & input, ScopeMode ReadFully)
+             SizeList[Index] = LastBufferSize;
+             break;
+           case LACING_EBML:
++          {
+             SizeRead = LastBufferSize;
+-            cursor = _tmpBuf = new binary[FrameNum*4]; /// \warning assume the mean size will be coded in less than 4 bytes
++            auto _tmpBuf = std::make_unique<binary>(FrameNum*4); /// \warning assume the mean size will be coded in less than 4 bytes
++            cursor = _tmpBuf.get();
+             Result += input.read(cursor, FrameNum*4);
+             FrameSize = ReadCodedSizeValue(cursor, SizeRead, SizeUnknown);
+             if (FrameSize > TotalLacedSize)
+@@ -677,11 +680,11 @@ filepos_t KaxInternalBlock::ReadData(IOCallback & input, ScopeMode ReadFully)
+               LastBufferSize -= FrameSize + SizeRead;
+             }
+ 
+-            FirstFrameLocation += cursor - _tmpBuf;
++            FirstFrameLocation += cursor - _tmpBuf.get();
+ 
+             SizeList[Index] = LastBufferSize;
+-            delete [] _tmpBuf;
+             break;
++          }
+           case LACING_FIXED:
+             for (Index=0; Index<=FrameNum; Index++) {
+               // get the size of the frame
+-- 
+2.50.1 (Apple Git-155)
+


=====================================
contrib/src/matroska/rules.mak
=====================================
@@ -19,6 +19,7 @@ $(TARBALLS)/libmatroska-$(MATROSKA_VERSION).tar.xz:
 matroska: libmatroska-$(MATROSKA_VERSION).tar.xz .sum-matroska
 	$(UNPACK)
 	$(call pkg_static,"libmatroska.pc.in")
+	$(APPLY) $(SRC)/matroska/0001-KaxBlock-fix-leak-when-reading-EBML-lace-is-aborted.patch
 	$(MOVE)
 
 .matroska: matroska toolchain.cmake



View it on GitLab: https://code.videolan.org/videolan/vlc/-/commit/48ea57b3aab2a5e956d3c62760d0815cf4846b55

-- 
View it on GitLab: https://code.videolan.org/videolan/vlc/-/commit/48ea57b3aab2a5e956d3c62760d0815cf4846b55
You're receiving this email because of your account on code.videolan.org.


VideoLAN code repository instance
