vlc | branch: master | Steve Lhomme <[email protected]> | Mon Feb 11 12:17:53 2019 +0100| [289595cd896c92a04353db627cfa2fb13036b461] | committer: Hugo Beauzée-Luyssen
contrib: matroska: do not use invalid lace sizes https://hackerone.com/reports/493336 Signed-off-by: Hugo Beauzée-Luyssen <[email protected]> > http://git.videolan.org/gitweb.cgi/vlc.git/?a=commit;h=289595cd896c92a04353db627cfa2fb13036b461 --- ...-not-attempt-to-use-laced-sizes-that-are-.patch | 54 ++++++++++++++++++++++ contrib/src/matroska/rules.mak | 1 + 2 files changed, 55 insertions(+) diff --git a/contrib/src/matroska/0001-KaxBlock-do-not-attempt-to-use-laced-sizes-that-are-.patch b/contrib/src/matroska/0001-KaxBlock-do-not-attempt-to-use-laced-sizes-that-are-.patch new file mode 100644 index 0000000000..0ec07f6661 --- /dev/null +++ b/contrib/src/matroska/0001-KaxBlock-do-not-attempt-to-use-laced-sizes-that-are-.patch @@ -0,0 +1,54 @@ +From 1ec615ec2b825523ecb1132794bbe771d2817b70 Mon Sep 17 00:00:00 2001 +From: Steve Lhomme <[email protected]> +Date: Mon, 11 Feb 2019 12:15:58 +0100 +Subject: [PATCH] KaxBlock: do not attempt to use laced sizes that are clearly + invalid + +--- + src/KaxBlock.cpp | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/src/KaxBlock.cpp b/src/KaxBlock.cpp +index 878d9a2..a1df83e 100644 +--- a/src/KaxBlock.cpp ++++ b/src/KaxBlock.cpp +@@ -628,7 +628,8 @@ filepos_t KaxInternalBlock::ReadData(IOCallback & input, ScopeMode ReadFully) + // put all Frames in the list + if (mLacing != LACING_NONE) { + // read the number of frames in the lace +- uint32 LastBufferSize = GetSize() - BlockHeadSize - 1; // 1 for number of frame ++ const uint32 TotalLacedSize = GetSize() - BlockHeadSize - 1; // 1 for number of frame ++ uint32 LastBufferSize = TotalLacedSize; + uint8 FrameNum = _TempHead[0]; // number of frames in the lace - 1 + // read the list of frame sizes + uint8 Index; +@@ -646,6 +647,8 @@ filepos_t KaxInternalBlock::ReadData(IOCallback & input, ScopeMode ReadFully) + do { + Result += input.read(_TempHead, 1); + FrameSize += uint8(_TempHead[0]); ++ if (FrameSize > TotalLacedSize) ++ throw SafeReadIOCallback::EndOfStreamX(0); + LastBufferSize--; + + FirstFrameLocation++; +@@ -662,6 +665,8 @@ filepos_t KaxInternalBlock::ReadData(IOCallback & input, ScopeMode ReadFully) + cursor = _tmpBuf = new binary[FrameNum*4]; /// \warning assume the mean size will be coded in less than 4 bytes + Result += input.read(cursor, FrameNum*4); + FrameSize = ReadCodedSizeValue(cursor, SizeRead, SizeUnknown); ++ if (FrameSize > TotalLacedSize) ++ throw SafeReadIOCallback::EndOfStreamX(0); + SizeList[0] = FrameSize; + cursor += SizeRead; + LastBufferSize -= FrameSize + SizeRead; +@@ -670,6 +675,8 @@ filepos_t KaxInternalBlock::ReadData(IOCallback & input, ScopeMode ReadFully) + // get the size of the frame + SizeRead = LastBufferSize; + FrameSize += ReadCodedSizeSignedValue(cursor, SizeRead, SizeUnknown); ++ if (FrameSize > TotalLacedSize) ++ throw SafeReadIOCallback::EndOfStreamX(0); + SizeList[Index] = FrameSize; + cursor += SizeRead; + LastBufferSize -= FrameSize + SizeRead; +-- +2.19.1.windows.1 + diff --git a/contrib/src/matroska/rules.mak b/contrib/src/matroska/rules.mak index 9370e2de3d..efed037e15 100644 --- a/contrib/src/matroska/rules.mak +++ b/contrib/src/matroska/rules.mak @@ -19,6 +19,7 @@ $(TARBALLS)/libmatroska-$(MATROSKA_VERSION).tar.xz: libmatroska: libmatroska-$(MATROSKA_VERSION).tar.xz .sum-matroska $(UNPACK) $(APPLY) $(SRC)/matroska/0001-KaxBlock-don-t-reset-potentially-unallocated-memory.patch + $(APPLY) $(SRC)/matroska/0001-KaxBlock-do-not-attempt-to-use-laced-sizes-that-are-.patch $(call pkg_static,"libmatroska.pc.in") $(MOVE) _______________________________________________ vlc-commits mailing list [email protected] https://mailman.videolan.org/listinfo/vlc-commits
