diff options
author | wm4 <wm4@nowhere> | 2014-06-29 23:22:07 +0200 |
---|---|---|
committer | wm4 <wm4@nowhere> | 2014-06-29 23:27:28 +0200 |
commit | 37251cef69aafe1e0477a34291a311a181d19ddb (patch) | |
tree | 8261c128046b8e793dc0276046a73843e5815672 /demux/ebml.c | |
parent | 16465840586e63df4ddd4f1b4707f357e1d788b4 (diff) | |
download | mpv-37251cef69aafe1e0477a34291a311a181d19ddb.tar.bz2 mpv-37251cef69aafe1e0477a34291a311a181d19ddb.tar.xz |
demux_mkv: add some overflow checks etc.
Some of these might be security relevant.
The RealAudio code was especially bad. I'm not sure if all RealAudio
stuff still plays correctly; I didn't have that many samples for
testing. Some checks might be unnecessary or overcomplicated compared
to the (obfuscated) nature of the code.
CC: @mpv-player/stable
Diffstat (limited to 'demux/ebml.c')
-rw-r--r-- | demux/ebml.c | 10 |
1 files changed, 9 insertions, 1 deletions
diff --git a/demux/ebml.c b/demux/ebml.c index f420616aa9..1d0473a6e1 100644 --- a/demux/ebml.c +++ b/demux/ebml.c @@ -364,7 +364,7 @@ static void ebml_parse_element(struct ebml_parse_ctx *ctx, void *target, char *s = target; uint8_t *end = data + size; uint8_t *p = data; - int num_elems[MAX_EBML_SUBELEMENTS] = {}; + int num_elems[MAX_EBML_SUBELEMENTS] = {0}; while (p < end) { uint8_t *startp = p; int len; @@ -390,6 +390,10 @@ static void ebml_parse_element(struct ebml_parse_ctx *ctx, void *target, if (type->fields[i].id == id) { field_idx = i; num_elems[i]++; + if (num_elems[i] >= 0x70000000) { + MP_ERR(ctx, "Too many EBML subelements.\n"); + goto other_error; + } break; } @@ -566,6 +570,10 @@ static void ebml_parse_element(struct ebml_parse_ctx *ctx, void *target, case EBML_TYPE_STR: case EBML_TYPE_BINARY:; + if (length > 0x80000000) { + MP_ERR(ctx, "Not reading overly long EBML element.\n"); + break; + } struct bstr *strptr; GETPTR(strptr, struct bstr); strptr->start = data; |