vlc/vlc-3.0 | branch: master | Hugo Beauzée-Luyssen <[email protected]> | Tue Aug 13 16:25:53 2019 +0200| [78af05d741ea0c48202bfa9e4f4d2a1a9b75e9a5] | committer: Hugo Beauzée-Luyssen
mkv: Improve PCI events handling CVE-2019-14970 (manually cherry picked from commit 51450a0f3c5c6a0fefc5ae25f35fe34ef3484af0) > http://git.videolan.org/gitweb.cgi/vlc/vlc-3.0.git/?a=commit;h=78af05d741ea0c48202bfa9e4f4d2a1a9b75e9a5 --- modules/demux/mkv/demux.cpp | 5 +++-- modules/demux/mkv/mkv.cpp | 3 ++- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/modules/demux/mkv/demux.cpp b/modules/demux/mkv/demux.cpp index 3efb97f0b5..6fa2418dd2 100644 --- a/modules/demux/mkv/demux.cpp +++ b/modules/demux/mkv/demux.cpp @@ -46,10 +46,11 @@ void event_thread_t::SetPci(const pci_t *data) { vlc_mutex_locker l(&lock); - pci_packet = *data; + memcpy(&pci_packet, data, sizeof(pci_packet)); #ifndef WORDS_BIGENDIAN - for( uint8_t button = 1; button <= pci_packet.hli.hl_gi.btn_ns; button++) { + for( uint8_t button = 1; button <= pci_packet.hli.hl_gi.btn_ns && + button < ARRAY_SIZE(pci_packet.hli.btnit); button++) { btni_t *button_ptr = &(pci_packet.hli.btnit[button-1]); binary *p_data = (binary*) button_ptr; diff --git a/modules/demux/mkv/mkv.cpp b/modules/demux/mkv/mkv.cpp index 5cb3f7ea95..87a8736d16 100644 --- a/modules/demux/mkv/mkv.cpp +++ b/modules/demux/mkv/mkv.cpp @@ -638,7 +638,8 @@ void BlockDecode( demux_t *p_demux, KaxBlock *block, KaxSimpleBlock *simpleblock if ( track.fmt.i_cat == DATA_ES ) { // TODO handle the start/stop times of this packet - p_sys->p_ev->SetPci( (const pci_t *)&p_block->p_buffer[1]); + if( p_block->i_size >= sizeof(pci_t)) + p_sys->p_ev->SetPci( (const pci_t *)&p_block->p_buffer[1]); block_Release( p_block ); return; } _______________________________________________ vlc-commits mailing list [email protected] https://mailman.videolan.org/listinfo/vlc-commits
