Commit 081f2d00 authored by Philip Jägenstedt's avatar Philip Jägenstedt Committed by Sebastian Dröge

matroskademux: Verify lace size in _parse_blockgroup_or_simpleblock

Failure to do this for corrupt input can cause a subbuffer bigger
than the actual buffer to be created, quickly leading to segfault.
Test case:
bug_s222005751_r0.001____memcpy.webm
parent c659c920
...@@ -4636,6 +4636,11 @@ gst_matroska_demux_parse_blockgroup_or_simpleblock (GstMatroskaDemux * demux, ...@@ -4636,6 +4636,11 @@ gst_matroska_demux_parse_blockgroup_or_simpleblock (GstMatroskaDemux * demux,
for (n = 0; n < laces; n++) { for (n = 0; n < laces; n++) {
GstBuffer *sub; GstBuffer *sub;
if (G_UNLIKELY (lace_size[n] > size)) {
GST_WARNING_OBJECT (demux, "Invalid lace size");
break;
}
sub = gst_buffer_create_sub (buf, sub = gst_buffer_create_sub (buf,
GST_BUFFER_SIZE (buf) - size, lace_size[n]); GST_BUFFER_SIZE (buf) - size, lace_size[n]);
GST_DEBUG_OBJECT (demux, "created subbuffer %p", sub); GST_DEBUG_OBJECT (demux, "created subbuffer %p", sub);
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment