vlc | branch: master | Hugo Beauzée-Luyssen <[email protected]> | Mon Aug 12 11:45:46 2019 +0200| [51450a0f3c5c6a0fefc5ae25f35fe34ef3484af0] | committer: Hugo Beauzée-Luyssen
mkv: Improve PCI events handling CVE-2019-14970 > http://git.videolan.org/gitweb.cgi/vlc.git/?a=commit;h=51450a0f3c5c6a0fefc5ae25f35fe34ef3484af0 --- modules/demux/mkv/events.cpp | 5 +++-- modules/demux/mkv/mkv.cpp | 3 ++- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/modules/demux/mkv/events.cpp b/modules/demux/mkv/events.cpp index 12f6c430e6..93cf963340 100644 --- a/modules/demux/mkv/events.cpp +++ b/modules/demux/mkv/events.cpp @@ -50,10 +50,11 @@ void event_thread_t::SetPci(const pci_t *data) { vlc_mutex_locker l(&lock); - pci_packet = *data; + memcpy(&pci_packet, data, sizeof(pci_packet)); #ifndef WORDS_BIGENDIAN - for( uint8_t button = 1; button <= pci_packet.hli.hl_gi.btn_ns; button++) { + for( uint8_t button = 1; button <= pci_packet.hli.hl_gi.btn_ns && + button < ARRAY_SIZE(pci_packet.hli.btnit); button++) { btni_t *button_ptr = &(pci_packet.hli.btnit[button-1]); binary *p_data = (binary*) button_ptr; diff --git a/modules/demux/mkv/mkv.cpp b/modules/demux/mkv/mkv.cpp index 1b055ce7f3..b7d8b3f95a 100644 --- a/modules/demux/mkv/mkv.cpp +++ b/modules/demux/mkv/mkv.cpp @@ -668,7 +668,8 @@ void BlockDecode( demux_t *p_demux, KaxBlock *block, KaxSimpleBlock *simpleblock if ( track.fmt.i_cat == DATA_ES ) { // TODO handle the start/stop times of this packet - p_sys->ev.SetPci( (const pci_t *)&p_block->p_buffer[1]); + if( p_block->i_size >= sizeof(pci_t)) + p_sys->ev.SetPci( (const pci_t *)&p_block->p_buffer[1]); block_Release( p_block ); return; } _______________________________________________ vlc-commits mailing list [email protected] https://mailman.videolan.org/listinfo/vlc-commits
