[vlc-commits] [Git][videolan/vlc][master] mkv: fix OOM vulnerability when parsing oversized child elements
Steve Lhomme (@robUx4)
gitlab at videolan.org
Sat Mar 14 12:06:24 UTC 2026
Steve Lhomme pushed to branch master at VideoLAN / VLC
Commits:
4bc8283e by unichronic at 2026-03-14T11:51:24+00:00
mkv: fix OOM vulnerability when parsing oversized child elements
Properly restricts the boundaries of child elements (i_ulev == 0) to their parent's boundaries, preventing libebml from bypassing MaxDataSize and allocating enormous amounts of memory when encountering spoofed UpperLevel IDs.
- - - - -
1 changed file:
- modules/demux/mkv/Ebml_parser.cpp
Changes:
=====================================
modules/demux/mkv/Ebml_parser.cpp
=====================================
@@ -148,6 +148,15 @@ EbmlElement *EbmlParser::Get( bool allow_overshoot )
EbmlElement *ret = m_got;
m_got = NULL;
+ if( mi_level > 0 && m_el[mi_level-1]->IsFiniteSize() && ret->IsFiniteSize() &&
+ ret->GetEndPosition() > m_el[mi_level-1]->GetEndPosition() )
+ {
+ msg_Err( p_demux, "EBML element at %" PRIu64 " extends beyond parent boundary (%" PRIu64 " beyond %" PRIu64 ")",
+ m_el[mi_level]->GetElementPosition(), m_el[mi_level]->GetEndPosition(), m_el[mi_level-1]->GetEndPosition() );
+ delete ret;
+ m_el[mi_level] = NULL;
+ return NULL;
+ }
return ret;
}
View it on GitLab: https://code.videolan.org/videolan/vlc/-/commit/4bc8283e46de625057499127441e082c295ed2e4
--
View it on GitLab: https://code.videolan.org/videolan/vlc/-/commit/4bc8283e46de625057499127441e082c295ed2e4
You're receiving this email because of your account on code.videolan.org.
VideoLAN code repository instance
More information about the vlc-commits
mailing list