vlc | branch: master | Denis Charmet <[email protected]> | Mon Dec 26 00:39:13 2011 +0100| [61d512e93967a2b8e8ac6212de9f6c2db94bcc69] | committer: Jean-Baptiste Kempf
Fix a crash with corrupted MKV If the blocksize is corrupted and has a lace, you may have a buffer overflow. Should fix #5658. Signed-off-by: Jean-Baptiste Kempf <[email protected]> > http://git.videolan.org/gitweb.cgi/vlc.git/?a=commit;h=61d512e93967a2b8e8ac6212de9f6c2db94bcc69 --- modules/demux/mkv/mkv.cpp | 15 ++++++++++++++- 1 files changed, 14 insertions(+), 1 deletions(-) diff --git a/modules/demux/mkv/mkv.cpp b/modules/demux/mkv/mkv.cpp index a350a43..5f52656 100644 --- a/modules/demux/mkv/mkv.cpp +++ b/modules/demux/mkv/mkv.cpp @@ -520,6 +520,14 @@ void BlockDecode( demux_t *p_demux, KaxBlock *block, KaxSimpleBlock *simpleblock tk->b_inited = true; + size_t frame_size = 0; + size_t block_size = 0; + + if( simpleblock != NULL ) + block_size = simpleblock->GetSize(); + else + block_size = block->GetSize(); + for( unsigned int i = 0; ( block != NULL && i < block->NumberFrames()) || ( simpleblock != NULL && i < simpleblock->NumberFrames() ); i++ ) @@ -535,9 +543,14 @@ void BlockDecode( demux_t *p_demux, KaxBlock *block, KaxSimpleBlock *simpleblock else { data = &block->GetBuffer(i); + // condition when the DTS is correct (keyframe or B frame == NOT P frame) } - if( !data->Buffer() || data->Size() > SIZE_MAX ) + frame_size += data->Size(); + if( !data->Buffer() || data->Size() > SIZE_MAX || frame_size > block_size ) + { + msg_Warn( p_demux, "Cannot read frame (too long or no frame)" ); break; + } if( tk->i_compression_type == MATROSKA_COMPRESSION_HEADER && tk->p_compression_data != NULL ) p_block = MemToBlock( data->Buffer(), data->Size(), tk->p_compression_data->GetSize() ); _______________________________________________ vlc-commits mailing list [email protected] http://mailman.videolan.org/listinfo/vlc-commits
