From 870e75524aa0d00ebcd1d15589c8d29b84af1565 Mon Sep 17 00:00:00 2001
From: Luca Barbato <lu_zero@gentoo.org>
Date: Fri, 14 Sep 2012 21:24:23 +0200
Subject: matroskadec: validate lace_size when parsed

Stricter validation, explicitly exit on misparsing and some error
forwarding from the ebml parsing functions used.
---
 libavformat/matroskadec.c | 23 ++++++++++++++++-------
 1 file changed, 16 insertions(+), 7 deletions(-)

(limited to 'libavformat/matroskadec.c')

diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c
index 27c962eab1..ff2a6c29dc 100644
--- a/libavformat/matroskadec.c
+++ b/libavformat/matroskadec.c
@@ -1829,11 +1829,19 @@ static int matroska_parse_block(MatroskaDemuxContext *matroska, uint8_t *data,
                         }
                         total += lace_size[n];
                     }
+                    if (size <= total) {
+                        res = AVERROR_INVALIDDATA;
+                        goto end;
+                    }
                     lace_size[n] = size - total;
                     break;
                 }
 
                 case 0x2: /* fixed-size lacing */
+                    if (size != (size / laces) * size) {
+                        res = AVERROR_INVALIDDATA;
+                        goto end;
+                    }
                     for (n = 0; n < laces; n++)
                         lace_size[n] = size / laces;
                     break;
@@ -1844,7 +1852,8 @@ static int matroska_parse_block(MatroskaDemuxContext *matroska, uint8_t *data,
                     if (n < 0) {
                         av_log(matroska->ctx, AV_LOG_INFO,
                                "EBML block data error\n");
-                        break;
+                        res = n;
+                        goto end;
                     }
                     data += n;
                     size -= n;
@@ -1856,13 +1865,18 @@ static int matroska_parse_block(MatroskaDemuxContext *matroska, uint8_t *data,
                         if (r < 0) {
                             av_log(matroska->ctx, AV_LOG_INFO,
                                    "EBML block data error\n");
-                            break;
+                            res = r;
+                            goto end;
                         }
                         data += r;
                         size -= r;
                         lace_size[n] = lace_size[n - 1] + snum;
                         total += lace_size[n];
                     }
+                    if (size <= total) {
+                        res = AVERROR_INVALIDDATA;
+                        goto end;
+                    }
                     lace_size[laces - 1] = size - total;
                     break;
                 }
@@ -1940,11 +1954,6 @@ static int matroska_parse_block(MatroskaDemuxContext *matroska, uint8_t *data,
                 uint32_t pkt_size = lace_size[n];
                 uint8_t *pkt_data = data;
 
-                if (pkt_size > size) {
-                    av_log(matroska->ctx, AV_LOG_ERROR, "Invalid packet size\n");
-                    break;
-                }
-
                 if (encodings && encodings->scope & 1) {
                     res = matroska_decode_buffer(&pkt_data, &pkt_size, track);
                     if (res < 0)
-- 
cgit v1.2.3