[vlc-devel] [PATCH] better size checking of EBML elements before we read them

[Denis Charmet]

Hi,

Le lundi 23 février 2015 à 10:34:01, Steve Lhomme a écrit :
> @@ -296,7 +296,7 @@ SimpleTag * matroska_segment_c::ParseSimpleTags( KaxTagSimple *tag, int target_t
>      {
>          while( ( el = ep->Get() ) != NULL && size < max_size)
>          {
> -            if( unlikely( el->GetSize() >= SIZE_MAX ) )
> +            if( unlikely( !el->ValidateSize() ) )
Unless libebml has fixed the integer overflow allocating for strings
size+1 without check if size < SIZE_MAX this might cause a buffer
overflow if someone starts declaring strings with SIZE_MAX length.

>              {
>                  msg_Err( &sys.demuxer, "Error %s too big ignoring the tag", typeid(*el).name() );
>                  delete ep;

Regards,

-- 
Denis Charmet - TypX
Le mauvais esprit est un art de vivre