1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
|
#matroska: do not use invalid lace sizes
#https://hackerone.com/reports/493336
From 1ec615ec2b825523ecb1132794bbe771d2817b70 Mon Sep 17 00:00:00 2001
From: Steve Lhomme <robux4@ycbcr.xyz>
Date: Mon, 11 Feb 2019 12:15:58 +0100
Subject: [PATCH] KaxBlock: do not attempt to use laced sizes that are clearly
invalid
---
src/KaxBlock.cpp | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/src/KaxBlock.cpp b/src/KaxBlock.cpp
index 878d9a2..a1df83e 100644
--- a/src/KaxBlock.cpp
+++ b/src/KaxBlock.cpp
@@ -628,7 +628,8 @@ filepos_t KaxInternalBlock::ReadData(IOCallback & input, ScopeMode ReadFully)
// put all Frames in the list
if (mLacing != LACING_NONE) {
// read the number of frames in the lace
- uint32 LastBufferSize = GetSize() - BlockHeadSize - 1; // 1 for number of frame
+ const uint32 TotalLacedSize = GetSize() - BlockHeadSize - 1; // 1 for number of frame
+ uint32 LastBufferSize = TotalLacedSize;
uint8 FrameNum = _TempHead[0]; // number of frames in the lace - 1
// read the list of frame sizes
uint8 Index;
@@ -646,6 +647,8 @@ filepos_t KaxInternalBlock::ReadData(IOCallback & input, ScopeMode ReadFully)
do {
Result += input.read(_TempHead, 1);
FrameSize += uint8(_TempHead[0]);
+ if (FrameSize > TotalLacedSize)
+ throw SafeReadIOCallback::EndOfStreamX(0);
LastBufferSize--;
FirstFrameLocation++;
@@ -662,6 +665,8 @@ filepos_t KaxInternalBlock::ReadData(IOCallback & input, ScopeMode ReadFully)
cursor = _tmpBuf = new binary[FrameNum*4]; /// \warning assume the mean size will be coded in less than 4 bytes
Result += input.read(cursor, FrameNum*4);
FrameSize = ReadCodedSizeValue(cursor, SizeRead, SizeUnknown);
+ if (FrameSize > TotalLacedSize)
+ throw SafeReadIOCallback::EndOfStreamX(0);
SizeList[0] = FrameSize;
cursor += SizeRead;
LastBufferSize -= FrameSize + SizeRead;
@@ -670,6 +675,8 @@ filepos_t KaxInternalBlock::ReadData(IOCallback & input, ScopeMode ReadFully)
// get the size of the frame
SizeRead = LastBufferSize;
FrameSize += ReadCodedSizeSignedValue(cursor, SizeRead, SizeUnknown);
+ if (FrameSize > TotalLacedSize)
+ throw SafeReadIOCallback::EndOfStreamX(0);
SizeList[Index] = FrameSize;
cursor += SizeRead;
LastBufferSize -= FrameSize + SizeRead;
--
2.19.1.windows.1
|