[vlc-commits] [Git][videolan/vlc][master] 2 commits: demux: mkv: do not allow infinite elements inside finite parents

[Steve Lhomme (@robUx4)]

Steve Lhomme pushed to branch master at VideoLAN / VLC


Commits:
85befdbe by Steve Lhomme at 2026-04-28T13:50:32+00:00
demux: mkv: do not allow infinite elements inside finite parents

Only Segment [^1] and Clusters [^2] are allowed to be infinite.
And they are not read through this code.
libmatroska still allows any Master element to be infinite.

Fixes #29578

[^1]: https://www.rfc-editor.org/rfc/rfc9559#section-5.1
[^2]: https://www.rfc-editor.org/rfc/rfc9559#section-5.1.3

- - - - -
ec5601c0 by Steve Lhomme at 2026-04-28T13:50:32+00:00
demux: mkv: do not SkipData on elements with an unknown size

It can loop infinitely.

Ref #29578

- - - - -


1 changed file:

- modules/demux/mkv/Ebml_parser.cpp


Changes:

=====================================
modules/demux/mkv/Ebml_parser.cpp
=====================================
@@ -147,21 +147,32 @@ EbmlElement *EbmlParser::Get( bool allow_overshoot )
         EbmlElement *ret = m_el[mi_level];
         return_previous_parent = false;
 
-        if( mi_level > 0 && m_el[mi_level-1]->IsFiniteSize() && ret->IsFiniteSize() &&
-            ret->GetEndPosition() > m_el[mi_level-1]->GetEndPosition() )
+        if( mi_level > 0 && m_el[mi_level-1]->IsFiniteSize() )
         {
-            msg_Err( p_demux, "EBML element at %" PRIu64 " extends beyond parent boundary (%" PRIu64 " beyond %" PRIu64 ")",
-                m_el[mi_level]->GetElementPosition(), m_el[mi_level]->GetEndPosition(), m_el[mi_level-1]->GetEndPosition() );
-            delete ret;
-            m_el[mi_level] = NULL;
-            return NULL;
+            if( ret->IsFiniteSize() &&
+                ret->GetEndPosition() > m_el[mi_level-1]->GetEndPosition() )
+            {
+                msg_Err( p_demux, "EBML element at %" PRIu64 " extends beyond parent boundary (%" PRIu64 " beyond %" PRIu64 ")",
+                         ret->GetElementPosition(), ret->GetEndPosition(), m_el[mi_level-1]->GetEndPosition() );
+                delete ret;
+                m_el[mi_level] = NULL;
+                return NULL;
+            }
+            if( !ret->IsFiniteSize() )
+            {
+                msg_Err( p_demux, "Infinite EBML element %s at %" PRIu64 " inside finite parent",
+                         EBML_NAME(ret), ret->GetElementPosition() );
+                delete ret;
+                m_el[mi_level] = NULL;
+                return NULL;
+            }
         }
         return ret;
     }
 
 next:
     p_prev = m_el[mi_level];
-    if( p_prev )
+    if( p_prev && p_prev->IsFiniteSize() )
         p_prev->SkipData( *m_es, EBML_CONTEXT(p_prev) );
 
     uint64_t i_max_read;
@@ -270,7 +281,7 @@ next:
     {
         msg_Dbg( p_demux,"MKV/Ebml Parser: m_el[mi_level] == NULL" );
         /* go back to the end of the parent */
-        if( p_prev )
+        if( p_prev && p_prev->IsFiniteSize() )
             p_prev->SkipData( *m_es, EBML_CONTEXT(p_prev) );
     }
     else if( m_el[mi_level]->IsDummy() && !mb_dummy )



View it on GitLab: https://code.videolan.org/videolan/vlc/-/compare/a29f54214208df3bf232e3926fb332bf13ec79ee...ec5601c05a8cc5600f177efb474339be3ffe87f0

-- 
View it on GitLab: https://code.videolan.org/videolan/vlc/-/compare/a29f54214208df3bf232e3926fb332bf13ec79ee...ec5601c05a8cc5600f177efb474339be3ffe87f0
You're receiving this email because of your account on code.videolan.org.