Skip to content

V
vlc
Commit d7ddde73 authored by Steve Lhomme's avatar Steve Lhomme Committed by Jean-Baptiste Kempf
Browse files
Options

better size checking of EBML elements before we read them 

Signed-off-by: default avatarJean-Baptiste Kempf <jb@videolan.org>
parent 723b35b5
Hide whitespace changes
Inline Side-by-side
Showing with 16 additions and 14 deletions
modules/demux/mkv/demux.cpp
View file @ d7ddde73
...@@ -519,7 +519,7 @@ matroska_stream_c *demux_sys_t::AnalyseAllSegmentsFound( demux_t *p_demux, EbmlS ...@@ -519,7 +519,7 @@ matroska_stream_c *demux_sys_t::AnalyseAllSegmentsFound( demux_t *p_demux, EbmlS
// find the families of this segment // find the families of this segment
KaxInfo *p_info = static_cast<KaxInfo*>(p_l1); KaxInfo *p_info = static_cast<KaxInfo*>(p_l1);
b_keep_segment = b_initial; b_keep_segment = b_initial;
if( unlikely( p_info->GetSize() >= SIZE_MAX ) ) if( unlikely( p_info->IsFiniteSize() && p_info->GetSize() >= SIZE_MAX ) )
{ {
msg_Err( p_demux, "KaxInfo too big aborting" ); msg_Err( p_demux, "KaxInfo too big aborting" );
break; break;
......
modules/demux/mkv/matroska_segment.cpp
View file @ d7ddde73
...@@ -139,7 +139,7 @@ void matroska_segment_c::LoadCues( KaxCues *cues ) ...@@ -139,7 +139,7 @@ void matroska_segment_c::LoadCues( KaxCues *cues )
KaxCueTime &ctime = *(KaxCueTime*)el; KaxCueTime &ctime = *(KaxCueTime*)el;
try try
{ {
if( unlikely( ctime.GetSize() >= SIZE_MAX ) ) if( unlikely( !ctime.ValidateSize() ) )
{ {
msg_Err( &sys.demuxer, "CueTime size too big"); msg_Err( &sys.demuxer, "CueTime size too big");
b_invalid_cue = true; b_invalid_cue = true;
...@@ -162,7 +162,7 @@ void matroska_segment_c::LoadCues( KaxCues *cues ) ...@@ -162,7 +162,7 @@ void matroska_segment_c::LoadCues( KaxCues *cues )
{ {
while( ( el = ep->Get() ) != NULL ) while( ( el = ep->Get() ) != NULL )
{ {
if( unlikely( el->GetSize() >= SIZE_MAX ) ) if( unlikely( !el->ValidateSize() ) )
{ {
ep->Up(); ep->Up();
msg_Err( &sys.demuxer, "Error %s too big, aborting", typeid(*el).name() ); msg_Err( &sys.demuxer, "Error %s too big, aborting", typeid(*el).name() );
...@@ -296,7 +296,7 @@ SimpleTag * matroska_segment_c::ParseSimpleTags( KaxTagSimple *tag, int target_t ...@@ -296,7 +296,7 @@ SimpleTag * matroska_segment_c::ParseSimpleTags( KaxTagSimple *tag, int target_t
{ {
while( ( el = ep->Get() ) != NULL && size < max_size) while( ( el = ep->Get() ) != NULL && size < max_size)
{ {
if( unlikely( el->GetSize() >= SIZE_MAX ) ) if( unlikely( !el->ValidateSize() ) )
{ {
msg_Err( &sys.demuxer, "Error %s too big ignoring the tag", typeid(*el).name() ); msg_Err( &sys.demuxer, "Error %s too big ignoring the tag", typeid(*el).name() );
delete ep; delete ep;
...@@ -409,7 +409,7 @@ void matroska_segment_c::LoadTags( KaxTags *tags ) ...@@ -409,7 +409,7 @@ void matroska_segment_c::LoadTags( KaxTags *tags )
{ {
try try
{ {
if( unlikely( el->GetSize() >= SIZE_MAX ) ) if( unlikely( !el->ValidateSize() ) )
{ {
msg_Err( &sys.demuxer, "Invalid size while reading tag"); msg_Err( &sys.demuxer, "Invalid size while reading tag");
break; break;
...@@ -1351,7 +1351,8 @@ int matroska_segment_c::BlockGet( KaxBlock * & pp_block, KaxSimpleBlock * & pp_s ...@@ -1351,7 +1351,8 @@ int matroska_segment_c::BlockGet( KaxBlock * & pp_block, KaxSimpleBlock * & pp_s
} }
break; break;
case 2: case 2:
if( unlikely( el->GetSize() >= SIZE_MAX ) ) if( unlikely( !el->ValidateSize() ||
( el->IsFiniteSize() && el->GetSize() >= SIZE_MAX ) ) )
{ {
msg_Err( &sys.demuxer, "Error while reading %s... upping level", typeid(*el).name()); msg_Err( &sys.demuxer, "Error while reading %s... upping level", typeid(*el).name());
ep->Up(); ep->Up();
...@@ -1388,7 +1389,8 @@ int matroska_segment_c::BlockGet( KaxBlock * & pp_block, KaxSimpleBlock * & pp_s ...@@ -1388,7 +1389,8 @@ int matroska_segment_c::BlockGet( KaxBlock * & pp_block, KaxSimpleBlock * & pp_s
} }
break; break;
case 3: case 3:
if( unlikely( el->GetSize() >= SIZE_MAX ) ) if( unlikely( !el->ValidateSize() ||
( el->IsFiniteSize() && el->GetSize() >= SIZE_MAX ) ) )
{ {
msg_Err( &sys.demuxer, "Error while reading %s... upping level", typeid(*el).name()); msg_Err( &sys.demuxer, "Error while reading %s... upping level", typeid(*el).name());
ep->Up(); ep->Up();
......
modules/demux/mkv/matroska_segment_parse.cpp
View file @ d7ddde73
...@@ -93,7 +93,7 @@ void matroska_segment_c::ParseSeekHead( KaxSeekHead *seekhead ) ...@@ -93,7 +93,7 @@ void matroska_segment_c::ParseSeekHead( KaxSeekHead *seekhead )
{ {
while( ( l = ep->Get() ) != NULL ) while( ( l = ep->Get() ) != NULL )
{ {
if( unlikely( l->GetSize() >= SIZE_MAX ) ) if( unlikely( !l->ValidateSize() ) )
{ {
msg_Err( &sys.demuxer,"%s too big... skipping it", typeid(*l).name() ); msg_Err( &sys.demuxer,"%s too big... skipping it", typeid(*l).name() );
continue; continue;
...@@ -745,7 +745,7 @@ void matroska_segment_c::ParseTracks( KaxTracks *tracks ) ...@@ -745,7 +745,7 @@ void matroska_segment_c::ParseTracks( KaxTracks *tracks )
int i_upper_level = 0; int i_upper_level = 0;
/* Master elements */ /* Master elements */
if( unlikely( tracks->GetSize() >= SIZE_MAX ) ) if( unlikely( tracks->IsFiniteSize() && tracks->GetSize() >= SIZE_MAX ) )
{ {
msg_Err( &sys.demuxer, "Track too big, aborting" ); msg_Err( &sys.demuxer, "Track too big, aborting" );
return; return;
...@@ -786,7 +786,7 @@ void matroska_segment_c::ParseInfo( KaxInfo *info ) ...@@ -786,7 +786,7 @@ void matroska_segment_c::ParseInfo( KaxInfo *info )
/* Master elements */ /* Master elements */
m = static_cast<EbmlMaster *>(info); m = static_cast<EbmlMaster *>(info);
if( unlikely( m->GetSize() >= SIZE_MAX ) ) if( unlikely( m->IsFiniteSize() && m->GetSize() >= SIZE_MAX ) )
{ {
msg_Err( &sys.demuxer, "Info too big, aborting" ); msg_Err( &sys.demuxer, "Info too big, aborting" );
return; return;
...@@ -914,7 +914,7 @@ void matroska_segment_c::ParseInfo( KaxInfo *info ) ...@@ -914,7 +914,7 @@ void matroska_segment_c::ParseInfo( KaxInfo *info )
KaxChapterTranslate *p_trans = static_cast<KaxChapterTranslate*>( l ); KaxChapterTranslate *p_trans = static_cast<KaxChapterTranslate*>( l );
try try
{ {
if( unlikely( p_trans->GetSize() >= SIZE_MAX ) ) if( unlikely( p_trans->IsFiniteSize() && p_trans->GetSize() >= SIZE_MAX ) )
{ {
msg_Err( &sys.demuxer, "Chapter translate too big, aborting" ); msg_Err( &sys.demuxer, "Chapter translate too big, aborting" );
continue; continue;
...@@ -1108,7 +1108,7 @@ void matroska_segment_c::ParseAttachments( KaxAttachments *attachments ) ...@@ -1108,7 +1108,7 @@ void matroska_segment_c::ParseAttachments( KaxAttachments *attachments )
EbmlElement *el; EbmlElement *el;
int i_upper_level = 0; int i_upper_level = 0;
if( unlikely( attachments->GetSize() >= SIZE_MAX ) ) if( unlikely( attachments->IsFiniteSize() && attachments->GetSize() >= SIZE_MAX ) )
{ {
msg_Err( &sys.demuxer, "Attachments too big, aborting" ); msg_Err( &sys.demuxer, "Attachments too big, aborting" );
return; return;
...@@ -1171,7 +1171,7 @@ void matroska_segment_c::ParseChapters( KaxChapters *chapters ) ...@@ -1171,7 +1171,7 @@ void matroska_segment_c::ParseChapters( KaxChapters *chapters )
int i_upper_level = 0; int i_upper_level = 0;
/* Master elements */ /* Master elements */
if( unlikely( chapters->GetSize() >= SIZE_MAX ) ) if( unlikely( chapters->IsFiniteSize() && chapters->GetSize() >= SIZE_MAX ) )
{ {
msg_Err( &sys.demuxer, "Chapters too big, aborting" ); msg_Err( &sys.demuxer, "Chapters too big, aborting" );
return; return;
...@@ -1245,7 +1245,7 @@ void matroska_segment_c::ParseCluster( KaxCluster *cluster, bool b_update_start_ ...@@ -1245,7 +1245,7 @@ void matroska_segment_c::ParseCluster( KaxCluster *cluster, bool b_update_start_
/* Master elements */ /* Master elements */
m = static_cast<EbmlMaster *>( cluster ); m = static_cast<EbmlMaster *>( cluster );
if( unlikely( m->GetSize() >= SIZE_MAX ) ) if( unlikely( m->IsFiniteSize() && m->GetSize() >= SIZE_MAX ) )
{ {
msg_Err( &sys.demuxer, "Cluster too big, aborting" ); msg_Err( &sys.demuxer, "Cluster too big, aborting" );
return; return;
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment