EbmlElement: don't read beyond end of buffer when reading variable length integers

2015-10-20 14:49:44 +02:00 · 2015-10-20 14:49:44 +02:00 · 24e5cd7c66
commit 24e5cd7c66
parent 12b560adc2
2 changed files with 11 additions and 0 deletions
--- a/6
+++ b/6
@ -1,5 +1,11 @@
 2015-10-20  Moritz Bunkus  <moritz@bunkus.org>

+        * EbmlElement::ReadCodedSizeValue(): Fixed an invalid memory
+        access. When reading a EBML variable length integer value a read
+        access beyond the end of the available buffer was possible if
+        fewer bytes were available than indicated by the first byte
+        resulting in a heap information leak.
+
        * EbmlUnicodeString::UpdateFromUTF8(): Fixed an invalid memory
        access. When reading from a UTF-8 string in which the length
        indicated by a UTF-8 character's first byte exceeds the string's
--- a/src/EbmlElement.cpp
+++ b/src/EbmlElement.cpp
@ -150,6 +150,11 @@ uint64 ReadCodedSizeValue(const binary * InBuffer, uint32 & BufferSize, uint64 &
      // ID found
      PossibleSizeLength = SizeIdx + 1;
      SizeBitMask >>= SizeIdx;
+
+      // Guard against invalid memory accesses with incomplete IDs.
+      if (PossibleSizeLength > BufferSize)
+        break;
+
      for (SizeIdx = 0; SizeIdx < PossibleSizeLength; SizeIdx++) {
        PossibleSize[SizeIdx] = InBuffer[SizeIdx];
      }