diff options
author | wm4 <wm4@nowhere> | 2014-06-29 23:22:07 +0200 |
---|---|---|
committer | Alessandro Ghedini <alessandro@ghedini.me> | 2014-07-05 00:25:19 +0200 |
commit | e71d68cdae9ab0619b02944186e51a7c8c4f6804 (patch) | |
tree | 600dbbcfe5b5675dc290fb758b147a88979ebd27 /demux/ebml.c | |
parent | 950ef5b75b4f771b017215eaeafd97658352c7d6 (diff) | |
download | mpv-e71d68cdae9ab0619b02944186e51a7c8c4f6804.tar.bz2 mpv-e71d68cdae9ab0619b02944186e51a7c8c4f6804.tar.xz |
demux_mkv: add some overflow checks etc.
Some of these might be security relevant.
The RealAudio code was especially bad. I'm not sure if all RealAudio
stuff still plays correctly; I didn't have that many samples for
testing. Some checks might be unnecessary or overcomplicated compared
to the (obfuscated) nature of the code.
CC: @mpv-player/stable
Diffstat (limited to 'demux/ebml.c')
-rw-r--r-- | demux/ebml.c | 10 |
1 files changed, 9 insertions, 1 deletions
diff --git a/demux/ebml.c b/demux/ebml.c index f420616aa9..1d0473a6e1 100644 --- a/demux/ebml.c +++ b/demux/ebml.c @@ -364,7 +364,7 @@ static void ebml_parse_element(struct ebml_parse_ctx *ctx, void *target, char *s = target; uint8_t *end = data + size; uint8_t *p = data; - int num_elems[MAX_EBML_SUBELEMENTS] = {}; + int num_elems[MAX_EBML_SUBELEMENTS] = {0}; while (p < end) { uint8_t *startp = p; int len; @@ -390,6 +390,10 @@ static void ebml_parse_element(struct ebml_parse_ctx *ctx, void *target, if (type->fields[i].id == id) { field_idx = i; num_elems[i]++; + if (num_elems[i] >= 0x70000000) { + MP_ERR(ctx, "Too many EBML subelements.\n"); + goto other_error; + } break; } @@ -566,6 +570,10 @@ static void ebml_parse_element(struct ebml_parse_ctx *ctx, void *target, case EBML_TYPE_STR: case EBML_TYPE_BINARY:; + if (length > 0x80000000) { + MP_ERR(ctx, "Not reading overly long EBML element.\n"); + break; + } struct bstr *strptr; GETPTR(strptr, struct bstr); strptr->start = data; |