[vlc-commits] [Git][videolan/vlc][3.0.x] 4 commits: contrib: matroska: fix leak when EBML lacing reading is aborted

Steve Lhomme (@robUx4) gitlab at videolan.org
Tue Apr 28 08:55:34 UTC 2026 


Steve Lhomme pushed to branch 3.0.x at VideoLAN / VLC


Commits:
f946d8f0 by Steve Lhomme at 2026-04-28T07:33:45+00:00
contrib: matroska: fix leak when EBML lacing reading is aborted

Fixes oss-fuzz 6656524064980992.

(cherry picked from commit 48ea57b3aab2a5e956d3c62760d0815cf4846b55)
Signed-off-by: Steve Lhomme <robux4 at ycbcr.xyz>

- - - - -
723bb39e by Steve Lhomme at 2026-04-28T07:33:45+00:00
contrib: matroska: fix bogus unique_ptr array

Fixes #29446

(cherry picked from commit 6956cb7184d10ab89d792f1e1b84ac7f0d585c7c)
Signed-off-by: Steve Lhomme <robux4 at ycbcr.xyz>

- - - - -
8d46d802 by Steve Lhomme at 2026-04-28T07:33:45+00:00
contrib: matroska: update to 1.7.1

(cherry picked from commit f017f75e9c561dec743e88a4caa0011aee8b9ffc) (rebased)
rebased:
- VLC 3 doesn't use https
Signed-off-by: Steve Lhomme <robux4 at ycbcr.xyz>

- - - - -
491ee3dc by Steve Lhomme at 2026-04-28T07:33:45+00:00
contrib: matroska: fix block buffers leaking on End Of Stream error

We call ksblock.ReleaseFrames() if we didn't read data when we should have.
But it's too late, the list of buffers is gone.

This is the case since libmatroska 1.4.2 [^1].

Fixes #29541

[^1]: https://github.com/Matroska-Org/libmatroska/commit/4457e70466dcc77984202a05525428383cb74fe3

(cherry picked from commit c127539673823a8e6e09b0542f78a3ee7b17f20d)
Signed-off-by: Steve Lhomme <robux4 at ycbcr.xyz>

- - - - -


4 changed files:

- + contrib/src/matroska/0001-KaxBlock-fix-leak-when-reading-EBML-lace-is-aborted.patch
- + contrib/src/matroska/0001-KaxBlock-release-read-buffers-on-EndOfStream-error.patch
- contrib/src/matroska/SHA512SUMS
- contrib/src/matroska/rules.mak


Changes:

=====================================
contrib/src/matroska/0001-KaxBlock-fix-leak-when-reading-EBML-lace-is-aborted.patch
=====================================
@@ -0,0 +1,59 @@
+From 6d2ad6dfb9d16a7747cc8395b022fc20eb91d3ec Mon Sep 17 00:00:00 2001
+From: Steve Lhomme <slhomme at matroska.org>
+Date: Fri, 24 Oct 2025 11:18:54 +0200
+Subject: [PATCH 1/2] KaxBlock: fix leak when reading EBML lace is aborted
+
+---
+ src/KaxBlock.cpp | 11 +++++++----
+ 1 file changed, 7 insertions(+), 4 deletions(-)
+
+diff --git a/src/KaxBlock.cpp b/src/KaxBlock.cpp
+index 62b0947..6a61b73 100644
+--- a/src/KaxBlock.cpp
++++ b/src/KaxBlock.cpp
+@@ -44,6 +44,8 @@
+ #include "matroska/KaxCluster.h"
+ #include "matroska/KaxDefines.h"
+ 
++#include <memory>
++
+ namespace libmatroska {
+ 
+ DataBuffer * DataBuffer::Clone()
+@@ -582,7 +584,6 @@ filepos_t KaxInternalBlock::ReadData(IOCallback & input, ScopeMode ReadFully)
+       if (Result != 5)
+         throw SafeReadIOCallback::EndOfStreamX(0);
+       binary *cursor = _TempHead;
+-      binary *_tmpBuf;
+       uint8 BlockHeadSize = 4;
+ 
+       // update internal values
+@@ -656,8 +657,10 @@ filepos_t KaxInternalBlock::ReadData(IOCallback & input, ScopeMode ReadFully)
+             SizeList[Index] = LastBufferSize;
+             break;
+           case LACING_EBML:
++          {
+             SizeRead = LastBufferSize;
+-            cursor = _tmpBuf = new binary[FrameNum*4]; /// \warning assume the mean size will be coded in less than 4 bytes
++            auto _tmpBuf = std::make_unique<binary>(FrameNum*4); /// \warning assume the mean size will be coded in less than 4 bytes
++            cursor = _tmpBuf.get();
+             Result += input.read(cursor, FrameNum*4);
+             FrameSize = ReadCodedSizeValue(cursor, SizeRead, SizeUnknown);
+             if (FrameSize > TotalLacedSize)
+@@ -677,11 +680,11 @@ filepos_t KaxInternalBlock::ReadData(IOCallback & input, ScopeMode ReadFully)
+               LastBufferSize -= FrameSize + SizeRead;
+             }
+ 
+-            FirstFrameLocation += cursor - _tmpBuf;
++            FirstFrameLocation += cursor - _tmpBuf.get();
+ 
+             SizeList[Index] = LastBufferSize;
+-            delete [] _tmpBuf;
+             break;
++          }
+           case LACING_FIXED:
+             for (Index=0; Index<=FrameNum; Index++) {
+               // get the size of the frame
+-- 
+2.52.0.windows.1
+


=====================================
contrib/src/matroska/0001-KaxBlock-release-read-buffers-on-EndOfStream-error.patch
=====================================
@@ -0,0 +1,24 @@
+From b0220cd5dde77970452a74dd9046b17617d3c7b8 Mon Sep 17 00:00:00 2001
+From: Steve Lhomme <robux4 at ycbcr.xyz>
+Date: Wed, 22 Apr 2026 07:50:09 +0200
+Subject: [PATCH] KaxBlock: release read buffers on EndOfStream error
+
+---
+ src/KaxBlock.cpp | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/KaxBlock.cpp b/src/KaxBlock.cpp
+index 1fae7e4..1522799 100644
+--- a/src/KaxBlock.cpp
++++ b/src/KaxBlock.cpp
+@@ -708,6 +708,7 @@ filepos_t KaxInternalBlock::ReadData(IOCallback & input, ScopeMode ReadFully)
+   } catch (SafeReadIOCallback::EndOfStreamX &) {
+     SetValueIsSet(false);
+ 
++    ReleaseFrames();
+     myBuffers.clear();
+     SizeList.clear();
+     Timecode           = 0;
+-- 
+2.52.0.windows.1
+


=====================================
contrib/src/matroska/SHA512SUMS
=====================================
@@ -1 +1 @@
-e635958113ab57fb6c7e808d4ad51f87c38ec6ff348b202df1789b34d25ca22bc00fbdf1ec4f386bc803ef3da9f57057bae78ecf22deabdf1399755b1c6fdd3e  libmatroska-1.7.0.tar.xz
+a6f38d388f6c9bfe399b9263ba4ef0965cfb4e27b39ac04453d5c9a9db8eac719a04c87b58d88b612902297e17aa7437382a66332f3f5b3d41744a13351751fd  libmatroska-1.7.1.tar.xz


=====================================
contrib/src/matroska/rules.mak
=====================================
@@ -1,6 +1,6 @@
 # matroska
 
-MATROSKA_VERSION := 1.7.0
+MATROSKA_VERSION := 1.7.1
 MATROSKA_URL := http://dl.matroska.org/downloads/libmatroska/libmatroska-$(MATROSKA_VERSION).tar.xz
 
 PKGS += matroska
@@ -19,6 +19,8 @@ $(TARBALLS)/libmatroska-$(MATROSKA_VERSION).tar.xz:
 matroska: libmatroska-$(MATROSKA_VERSION).tar.xz .sum-matroska
 	$(UNPACK)
 	$(call pkg_static,"libmatroska.pc.in")
+	$(APPLY) $(SRC)/matroska/0001-KaxBlock-release-read-buffers-on-EndOfStream-error.patch
+	$(APPLY) $(SRC)/matroska/0001-KaxBlock-fix-leak-when-reading-EBML-lace-is-aborted.patch
 	$(MOVE)
 
 .matroska: matroska toolchain.cmake



View it on GitLab: https://code.videolan.org/videolan/vlc/-/compare/f4d0e34f37b62625fca0a2a440a934cc92ff4410...491ee3dce83f5b342eb65c587246a746544ca098

-- 
View it on GitLab: https://code.videolan.org/videolan/vlc/-/compare/f4d0e34f37b62625fca0a2a440a934cc92ff4410...491ee3dce83f5b342eb65c587246a746544ca098
You're receiving this email because of your account on code.videolan.org.

More information about the vlc-commits mailing list