Fix a crash with corrupted MKV

If the blocksize is corrupted and has a lace, you may have a buffer overflow. Should fix #5658. Signed-off-by: Jean-Baptiste Kempf <jb@videolan.org>

Fix a crash with corrupted MKV
If the blocksize is corrupted and has a lace, you may have a buffer overflow. Should fix #5658. Signed-off-by: Jean-Baptiste Kempf <jb@videolan.org>
61d512e9 · Denis Charmet · Jean-Baptiste Kempf · 31c91f64 · 61d512e9
Commit 61d512e9 authored Dec 26, 2011 by Denis Charmet Committed by Jean-Baptiste Kempf Dec 28, 2011
Hide whitespace changes
Inline Side-by-side

Showing with 14 additions and 1 deletion

modules/demux/mkv/mkv.cpp modules/demux/mkv/mkv.cpp +14 -1

No files found.
--- a/modules/demux/mkv/mkv.cpp
+++ b/modules/demux/mkv/mkv.cpp
@@ -520,6 +520,14 @@ void BlockDecode( demux_t *p_demux, KaxBlock *block, KaxSimpleBlock *simpleblock
    tk->b_inited = true;
+    size_t frame_size = 0;
+    size_t block_size = 0;
+    if( simpleblock != NULL )
+        block_size = simpleblock->GetSize();
+    else
+        block_size = block->GetSize();
    for( unsigned int i = 0;
         ( block != NULL && i < block->NumberFrames()) || ( simpleblock != NULL && i < simpleblock->NumberFrames() );
         i++ )
@@ -535,9 +543,14 @@ void BlockDecode( demux_t *p_demux, KaxBlock *block, KaxSimpleBlock *simpleblock
        else
        {
            data = &block->GetBuffer(i);
+            // condition when the DTS is correct (keyframe or B frame == NOT P frame)
        }
-        if( !data->Buffer() || data->Size() > SIZE_MAX )
+        frame_size += data->Size();
+        if( !data->Buffer() || data->Size() > SIZE_MAX || frame_size > block_size  )
+        {
+            msg_Warn( p_demux, "Cannot read frame (too long or no frame)" );
            break;
+        }
        if( tk->i_compression_type == MATROSKA_COMPRESSION_HEADER && tk->p_compression_data != NULL )
            p_block = MemToBlock( data->Buffer(), data->Size(), tk->p_compression_data->GetSize() );