From 02daf37328c57ab12bd086a0d4ce91a5f6d70a97 Mon Sep 17 00:00:00 2001 From: Uoti Urpala Date: Mon, 29 Oct 2012 19:58:35 +0200 Subject: demux_mkv: fix a hang with invalid files ebml_read_length() could return a negative value (as uint64_t though) at EOF, and this would then make ebml_read_skip() seek backwards. This could lead to an infinite loop at EOF with corrupt files. Add an extra check to make ebml_read_length() return EBML_UINT_INVALID instead if EOF is hit in the middle of parsing. --- libmpdemux/ebml.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libmpdemux/ebml.c b/libmpdemux/ebml.c index 9bce3b5182..fba8177805 100644 --- a/libmpdemux/ebml.c +++ b/libmpdemux/ebml.c @@ -130,6 +130,8 @@ uint64_t ebml_read_length(stream_t *s, int *length) } if (j == num_ffs) return EBML_UINT_INVALID; + if (len >= 1ULL<<63) // Can happen if stream_read_char returns EOF + return EBML_UINT_INVALID; return len; } -- cgit v1.2.3