KaxBlockInternal: check EBML lace sizes against available buffer space

2015-10-20 12:00:53 +02:00 · 2015-10-20 12:00:53 +02:00 · 0a2d3e3644
commit 0a2d3e3644
parent 4934049696
2 changed files with 14 additions and 0 deletions
--- a/10
+++ b/10
@ -1,3 +1,13 @@
+2015-10-20  Moritz Bunkus  <moritz@bunkus.org>
+
+        * KaxInternalBlock::ReadData(): Fixed an invalid memory
+        access. When reading a block group or a simple block that uses
+        EBML lacing the frame sizes indicated in the lacing weren't
+        checked against the available number of bytes. If the indicated
+        frame size was bigger than the whole block's size the parser would
+        read beyond the end of the buffer resulting in a heap information
+        leak.
+
 2015-10-17  Moritz Bunkus  <moritz@bunkus.org>

        * Released v1.4.3.
--- a/src/KaxBlock.cpp
+++ b/src/KaxBlock.cpp
@ -529,6 +529,8 @@ filepos_t KaxInternalBlock::ReadData(IOCallback & input, ScopeMode ReadFully)
          case LACING_EBML:
            SizeRead = LastBufferSize;
            FrameSize = ReadCodedSizeValue(BufferStart + Mem.GetPosition(), SizeRead, SizeUnknown);
+            if (!FrameSize || (static_cast<uint32>(FrameSize + SizeRead) > LastBufferSize))
+              throw SafeReadIOCallback::EndOfStreamX(SizeRead);
            SizeList[0] = FrameSize;
            Mem.Skip(SizeRead);
            LastBufferSize -= FrameSize + SizeRead;
@ -537,6 +539,8 @@ filepos_t KaxInternalBlock::ReadData(IOCallback & input, ScopeMode ReadFully)
              // get the size of the frame
              SizeRead = LastBufferSize;
              FrameSize += ReadCodedSizeSignedValue(BufferStart + Mem.GetPosition(), SizeRead, SizeUnknown);
+              if (!FrameSize || (static_cast<uint32>(FrameSize + SizeRead) > LastBufferSize))
+                throw SafeReadIOCallback::EndOfStreamX(SizeRead);
              SizeList[Index] = FrameSize;
              Mem.Skip(SizeRead);
              LastBufferSize -= FrameSize + SizeRead;