EbmlMaster: propagate upper level element after infinite sized one correctly

When the parser encountered a deeply nested element with an infinite size then a following element of an upper level was not propagated correctly. Instead the element with the infinite size was added into the EBML element tree a second time resulting in memory access after freeing it and multiple attempts to free the same memory address during destruction. Fixes the issue reported as Cisco TALOS-CAN-0037.
2015-10-20 14:53:44 +02:00 · 2015-10-20 14:53:44 +02:00 · 88409e2a94
commit 88409e2a94
parent 24e5cd7c66
2 changed files with 16 additions and 0 deletions
--- a/8
+++ b/8
@ -1,5 +1,13 @@
 2015-10-20  Moritz Bunkus  <moritz@bunkus.org>

+        * EbmlMaster::Read(): When the parser encountered a deeply nested
+        element with an infinite size then a following element of an upper
+        level was not propagated correctly. Instead the element with the
+        infinite size was added into the EBML element tree a second time
+        resulting in memory access after freeing it and multiple attempts
+        to free the same memory address during destruction. Fixes the
+        issue reported as Cisco TALOS-CAN-0037.
+
        * EbmlElement::ReadCodedSizeValue(): Fixed an invalid memory
        access. When reading a EBML variable length integer value a read
        access beyond the end of the available buffer was possible if
--- a/src/EbmlMaster.cpp
+++ b/src/EbmlMaster.cpp
@ -454,6 +454,14 @@ void EbmlMaster::Read(EbmlStream & inDataStream, const EbmlSemanticContext & sCo
        } else {
          if (DeleteElement)
            delete ElementLevelA;
+
+          if (UpperEltFound) {
+            --UpperEltFound;
+            if (UpperEltFound > 0 || MaxSizeToRead <= 0)
+              goto processCrc;
+            ElementLevelA = FoundElt;
+          }
+
          break;
        }
      }