This should avoid integer overflows inside the libebml causing heap buffer overflow. Since new called by the lib is limited to SIZE_MAX bytes.
// find the families of this segment
KaxInfo *p_info = static_cast<KaxInfo*>(p_l1);
b_keep_segment = b_initial;
+ if( unlikely( p_info->GetSize() >= SIZE_MAX ) )
+ {
+ msg_Err( p_demux, "KaxInfo too big aborting" );
+ break;
+ }
try
{
p_info->Read(*p_estream, EBML_CLASS_CONTEXT(KaxInfo), i_upper_lvl, p_l2, true);
KaxCueTime &ctime = *(KaxCueTime*)el;
try
{
+ if( unlikely( ctime.GetSize() >= SIZE_MAX ) )
+ {
+ msg_Err( &sys.demuxer, "CueTime size too big");
+ b_invalid_cue = true;
+ break;
+ }
ctime.ReadData( es.I_O() );
}
catch(...)
{
while( ( el = ep->Get() ) != NULL )
{
+ if( unlikely( el->GetSize() >= SIZE_MAX ) )
+ {
+ ep->Up();
+ msg_Err( &sys.demuxer, "Error %s too big, aborting", typeid(*el).name() );
+ b_invalid_cue = true;
+ break;
+ }
+
if( MKV_IS_ID( el, KaxCueTrack ) )
{
KaxCueTrack &ctrack = *(KaxCueTrack*)el;
-
ctrack.ReadData( es.I_O() );
idx.i_track = uint16( ctrack );
}
{
while( ( el = ep->Get() ) != NULL )
{
+ if( unlikely( el->GetSize() >= SIZE_MAX ) )
+ {
+ msg_Err( &sys.demuxer, "Error %s too big ignoring the tag", typeid(*el).name() );
+ delete ep;
+ delete p_simple;
+ return NULL;
+ }
if( MKV_IS_ID( el, KaxTagName ) )
{
KaxTagName &key = *(KaxTagName*)el;
{
try
{
+ if( unlikely( el->GetSize() >= SIZE_MAX ) )
+ {
+ msg_Err( &sys.demuxer, "Invalid size while reading tag");
+ break;
+ }
if( MKV_IS_ID( el, KaxTagTargetTypeValue ) )
{
KaxTagTargetTypeValue &value = *(KaxTagTargetTypeValue*)el;
catch(...)
{
msg_Err( &sys.demuxer, "Error while reading tag");
- ep->Up();
break;
}
- ep->Up();
}
+ ep->Up();
}
else if( MKV_IS_ID( el, KaxTagSimple ) )
{
}
break;
case 2:
+ if( unlikely( el->GetSize() >= SIZE_MAX ) )
+ {
+ msg_Err( &sys.demuxer, "Error while reading %s... upping level", typeid(*el).name());
+ ep->Up();
+ break;
+ }
if( MKV_IS_ID( el, KaxClusterTimecode ) )
{
KaxClusterTimecode &ctc = *(KaxClusterTimecode*)el;
}
break;
case 3:
+ if( unlikely( el->GetSize() >= SIZE_MAX ) )
+ {
+ msg_Err( &sys.demuxer, "Error while reading %s... upping level", typeid(*el).name());
+ ep->Up();
+ break;
+ }
if( MKV_IS_ID( el, KaxBlock ) )
{
pp_block = (KaxBlock*)el;
{
while( ( l = ep->Get() ) != NULL )
{
+ if( unlikely( l->GetSize() >= SIZE_MAX ) )
+ {
+ msg_Err( &sys.demuxer,"%s too big... skipping it", typeid(*l).name() );
+ continue;
+ }
if( MKV_IS_ID( l, KaxSeekID ) )
{
KaxSeekID &sid = *(KaxSeekID*)l;
int i_upper_level = 0;
/* Master elements */
+ if( unlikely( tracks->GetSize() >= SIZE_MAX ) )
+ {
+ msg_Err( &sys.demuxer, "Track too big, aborting" );
+ return;
+ }
try
{
tracks->Read( es, EBML_CONTEXT(tracks), i_upper_level, el, true );
/* Master elements */
m = static_cast<EbmlMaster *>(info);
+ if( unlikely( m->GetSize() >= SIZE_MAX ) )
+ {
+ msg_Err( &sys.demuxer, "Info too big, aborting" );
+ return;
+ }
try
{
m->Read( es, EBML_CONTEXT(info), i_upper_level, el, true );
KaxChapterTranslate *p_trans = static_cast<KaxChapterTranslate*>( l );
try
{
+ if( unlikely( p_trans->GetSize() >= SIZE_MAX ) )
+ {
+ msg_Err( &sys.demuxer, "Chapter translate too big, aborting" );
+ continue;
+ }
+
p_trans->Read( es, EBML_CONTEXT(p_trans), i_upper_level, el, true );
chapter_translation_c *p_translate = new chapter_translation_c();
EbmlElement *el;
int i_upper_level = 0;
+ if( unlikely( attachments->GetSize() >= SIZE_MAX ) )
+ {
+ msg_Err( &sys.demuxer, "Attachments too big, aborting" );
+ return;
+ }
try
{
attachments->Read( es, EBML_CONTEXT(attachments), i_upper_level, el, true );
int i_upper_level = 0;
/* Master elements */
+ if( unlikely( chapters->GetSize() >= SIZE_MAX ) )
+ {
+ msg_Err( &sys.demuxer, "Chapters too big, aborting" );
+ return;
+ }
try
{
chapters->Read( es, EBML_CONTEXT(chapters), i_upper_level, el, true );
/* Master elements */
m = static_cast<EbmlMaster *>( cluster );
+ if( unlikely( m->GetSize() >= SIZE_MAX ) )
+ {
+ msg_Err( &sys.demuxer, "Cluster too big, aborting" );
+ return;
+ }
try
{
m->Read( es, EBML_CONTEXT(cluster), i_upper_level, el, true );