[vlc-devel] [PATCH] better size checking of EBML elements before we read them
Steve Lhomme
robux4 at gmail.com
Mon Feb 23 11:18:24 CET 2015
Yes, for now it's only checking if it's a finite size, not for a max size.
I'm not sure a String of SIZE_MAX - 1 (which would be okay in your
case). Would be much better. For example, EbmlBinary has a max valid
size of 0x7FFFFFFF, whereas SIZE_MAX is 0XFFFFFFFF (on my platform).
Allocating either sizes for a string is just crazy.
I'll apply the same safety check in EbmlString of libebml.
VLC might enforce even stricter sizes. Are there such rules in other parsers ?
On Mon, Feb 23, 2015 at 10:57 AM, Denis Charmet <typx at dinauz.org> wrote:
> Hi,
>
> Le lundi 23 février 2015 à 10:34:01, Steve Lhomme a écrit :
>> @@ -296,7 +296,7 @@ SimpleTag * matroska_segment_c::ParseSimpleTags( KaxTagSimple *tag, int target_t
>> {
>> while( ( el = ep->Get() ) != NULL && size < max_size)
>> {
>> - if( unlikely( el->GetSize() >= SIZE_MAX ) )
>> + if( unlikely( !el->ValidateSize() ) )
> Unless libebml has fixed the integer overflow allocating for strings
> size+1 without check if size < SIZE_MAX this might cause a buffer
> overflow if someone starts declaring strings with SIZE_MAX length.
>
>> {
>> msg_Err( &sys.demuxer, "Error %s too big ignoring the tag", typeid(*el).name() );
>> delete ep;
>
> Regards,
>
> --
> Denis Charmet - TypX
> Le mauvais esprit est un art de vivre
> _______________________________________________
> vlc-devel mailing list
> To unsubscribe or modify your subscription options:
> https://mailman.videolan.org/listinfo/vlc-devel
More information about the vlc-devel
mailing list