From 37251cef69aafe1e0477a34291a311a181d19ddb Mon Sep 17 00:00:00 2001 From: wm4 Date: Sun, 29 Jun 2014 23:22:07 +0200 Subject: demux_mkv: add some overflow checks etc. Some of these might be security relevant. The RealAudio code was especially bad. I'm not sure if all RealAudio stuff still plays correctly; I didn't have that many samples for testing. Some checks might be unnecessary or overcomplicated compared to the (obfuscated) nature of the code. CC: @mpv-player/stable --- demux/ebml.c | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) (limited to 'demux/ebml.c') diff --git a/demux/ebml.c b/demux/ebml.c index f420616aa9..1d0473a6e1 100644 --- a/demux/ebml.c +++ b/demux/ebml.c @@ -364,7 +364,7 @@ static void ebml_parse_element(struct ebml_parse_ctx *ctx, void *target, char *s = target; uint8_t *end = data + size; uint8_t *p = data; - int num_elems[MAX_EBML_SUBELEMENTS] = {}; + int num_elems[MAX_EBML_SUBELEMENTS] = {0}; while (p < end) { uint8_t *startp = p; int len; @@ -390,6 +390,10 @@ static void ebml_parse_element(struct ebml_parse_ctx *ctx, void *target, if (type->fields[i].id == id) { field_idx = i; num_elems[i]++; + if (num_elems[i] >= 0x70000000) { + MP_ERR(ctx, "Too many EBML subelements.\n"); + goto other_error; + } break; } @@ -566,6 +570,10 @@ static void ebml_parse_element(struct ebml_parse_ctx *ctx, void *target, case EBML_TYPE_STR: case EBML_TYPE_BINARY:; + if (length > 0x80000000) { + MP_ERR(ctx, "Not reading overly long EBML element.\n"); + break; + } struct bstr *strptr; GETPTR(strptr, struct bstr); strptr->start = data; -- cgit v1.2.3