Limit string element size to 20 million bytes.

Avoids crashes in allocators when fuzzers or maliciously crafted streams make elements appear extremely large. BUG=b/68352235 Change-Id: I71c293d8abdff0d188a881c4366bc09182ac32f8
2018-01-30 15:00:40 -08:00 · 2018-01-30 15:00:40 -08:00 · 6ab4f8fa97
commit 6ab4f8fa97
parent 12b42e9920
1 changed files with 2 additions and 1 deletions
--- a/mkvparser/mkvparser.cc
+++ b/mkvparser/mkvparser.cc
@ -23,6 +23,7 @@
 #include "common/webmids.h"

 namespace mkvparser {
+const long long kStringElementSizeLimit = 20 * 1000 * 1000;
 const float MasteringMetadata::kValueNotPresent = FLT_MAX;
 const long long Colour::kValueNotPresent = LLONG_MAX;
 const float Projection::kValueNotPresent = FLT_MAX;
@ -325,7 +326,7 @@ long UnserializeString(IMkvReader* pReader, long long pos, long long size,
  delete[] str;
  str = NULL;

-  if (size >= LONG_MAX || size < 0)
+  if (size >= LONG_MAX || size < 0 || size > kStringElementSizeLimit)
    return E_FILE_FORMAT_INVALID;

  // +1 for '\0' terminator