[vlc-commits] [Git][videolan/vlc][master] mkv: fix OOM vulnerability when parsing oversized child elements

Sat, 14 Mar 2026 05:06:41 -0700 


Steve Lhomme pushed to branch master at VideoLAN / VLC


Commits:
4bc8283e by unichronic at 2026-03-14T11:51:24+00:00
mkv: fix OOM vulnerability when parsing oversized child elements

Properly restricts the boundaries of child elements (i_ulev == 0) to their 
parent's boundaries, preventing libebml from bypassing MaxDataSize and 
allocating enormous amounts of memory when encountering spoofed UpperLevel IDs.

- - - - -


1 changed file:

- modules/demux/mkv/Ebml_parser.cpp


Changes:

=====================================
modules/demux/mkv/Ebml_parser.cpp
=====================================
@@ -148,6 +148,15 @@ EbmlElement *EbmlParser::Get( bool allow_overshoot )
         EbmlElement *ret = m_got;
         m_got = NULL;
 
+        if( mi_level > 0 && m_el[mi_level-1]->IsFiniteSize() && 
ret->IsFiniteSize() &&
+            ret->GetEndPosition() > m_el[mi_level-1]->GetEndPosition() )
+        {
+            msg_Err( p_demux, "EBML element at %" PRIu64 " extends beyond 
parent boundary (%" PRIu64 " beyond %" PRIu64 ")",
+                m_el[mi_level]->GetElementPosition(), 
m_el[mi_level]->GetEndPosition(), m_el[mi_level-1]->GetEndPosition() );
+            delete ret;
+            m_el[mi_level] = NULL;
+            return NULL;
+        }
         return ret;
     }
 



View it on GitLab: 
https://code.videolan.org/videolan/vlc/-/commit/4bc8283e46de625057499127441e082c295ed2e4

-- 
View it on GitLab: 
https://code.videolan.org/videolan/vlc/-/commit/4bc8283e46de625057499127441e082c295ed2e4
You're receiving this email because of your account on code.videolan.org.


VideoLAN code repository instance
_______________________________________________
vlc-commits mailing list
[email protected]
https://mailman.videolan.org/listinfo/vlc-commits

Reply via email to