path: root/demux/ebml.c
diff options
authorwm4 <wm4@nowhere>2014-01-14 17:38:08 +0100
committerwm4 <wm4@nowhere>2014-01-14 17:38:08 +0100
commitae27e13a0a0d0d69ca3e91ade710ded5208f4fc6 (patch)
tree28e7f180e34f3b81cc030410918277fdc9e59fa5 /demux/ebml.c
parentb51713e8e7938978a675abf1bedc2ff2d9ae7319 (diff)
demux_mkv: avoid skipping too much data in corrupted files
Until now, corrupted files were detected if the size of an element (that should be skipped) was larger than the remaining file. This still could skip larger regions of the file itself if the broken size happened to be within the file. Change it so that it's never allowed to skip outside the parent's element.
Diffstat (limited to 'demux/ebml.c')
1 files changed, 6 insertions, 5 deletions
diff --git a/demux/ebml.c b/demux/ebml.c
index fbc9998602..c875ef564c 100644
--- a/demux/ebml.c
+++ b/demux/ebml.c
@@ -293,9 +293,10 @@ int ebml_resync_cluster(struct mp_log *log, stream_t *s)
* Skip the current element, or on error, call ebml_resync_cluster().
+ * end gives the maximum possible file pos (due to EBML parent element size).
-int ebml_read_skip_or_resync_cluster(struct mp_log *log, stream_t *s,
- uint64_t *length)
+int ebml_read_skip_or_resync_cluster(struct mp_log *log, int64_t end,
+ stream_t *s)
uint64_t len;
int l;
@@ -304,11 +305,11 @@ int ebml_read_skip_or_resync_cluster(struct mp_log *log, stream_t *s,
goto resync;
- if (length)
- *length = len + l;
int64_t pos = stream_tell(s);
+ if (end >= 0 && pos + len > end)
+ goto resync;
// When reading corrupted elements, len will often be a random high number,
// and stream_skip() will fail when skipping past EOF.
if (!stream_skip(s, len)) {