Commit 86cb13bd authored by Leo's avatar Leo Committed by Natanael Copa

main/libebml: fix CVE-2019-13615

ref #10697
parent f684a98a
......@@ -2,7 +2,7 @@
# Maintainer: Timo Teräs <timo.teras@iki.fi>
pkgname=libebml
pkgver=1.3.5
pkgrel=0
pkgrel=1
pkgdesc="a C++ library to parse Extensible Binary Meta-Language files"
url="https://www.matroska.org/"
arch="all"
......@@ -12,9 +12,15 @@ depends_dev=""
makedepends="$depends_dev"
install=""
subpackages="$pkgname-dev"
source="http://dl.matroska.org/downloads/$pkgname/$pkgname-$pkgver.tar.xz"
source="http://dl.matroska.org/downloads/$pkgname/$pkgname-$pkgver.tar.xz
CVE-2019-13615.patch
"
options="!check"
# secfixes:
# 1.3.5-r1:
# - CVE-2019-13615
_builddir="$srcdir"/$pkgname-$pkgver
prepare() {
local i
......@@ -42,4 +48,5 @@ package() {
make install DESTDIR="$pkgdir"
}
sha512sums="cdf05015724919b19281bf99c562bb7e0bdf16990da274010f664ff316b6ce95ecbeaa1e479f03505281a7f45d5796aee6e7750a9e1c0596b630911d220dca24 libebml-1.3.5.tar.xz"
sha512sums="cdf05015724919b19281bf99c562bb7e0bdf16990da274010f664ff316b6ce95ecbeaa1e479f03505281a7f45d5796aee6e7750a9e1c0596b630911d220dca24 libebml-1.3.5.tar.xz
9cdda162a58c77541065121edafe09643f6c37ffb7b94851903f80a2fb5bf2e4729c6d97b5a23d05257b65abada0f5bf10d9d245cc3b4fd07653bb5ad3c29f0a CVE-2019-13615.patch"
diff --git a/src/EbmlElement.cpp b/src/EbmlElement.cpp
index 143f439..871247c 100644
--- a/src/EbmlElement.cpp
+++ b/src/EbmlElement.cpp
@@ -372,11 +372,12 @@ EbmlElement * EbmlElement::FindNextElement(IOCallback & DataStream, const EbmlSe
int PossibleSizeLength;
uint64 SizeUnknown;
int ReadIndex = 0; // trick for the algo, start index at 0
- uint32 ReadSize = 0;
+ uint32 ReadSize = 0, IdStart = 0;
uint64 SizeFound;
int SizeIdx;
bool bFound;
int UpperLevel_original = UpperLevel;
+ uint64 ParseStart = DataStream.getFilePointer();
do {
// read a potential ID
@@ -402,14 +403,17 @@ EbmlElement * EbmlElement::FindNextElement(IOCallback & DataStream, const EbmlSe
// ID not found
// shift left the read octets
memmove(&PossibleIdNSize[0],&PossibleIdNSize[1], --ReadIndex);
+ IdStart++;
}
+ if (MaxDataSize <= ReadSize)
+ break;
if (DataStream.read(&PossibleIdNSize[ReadIndex++], 1) == 0) {
return NULL; // no more data ?
}
ReadSize++;
- } while (!bFound && MaxDataSize > ReadSize);
+ } while (!bFound);
if (!bFound)
// we reached the maximum we could read without a proper ID
@@ -432,6 +436,10 @@ EbmlElement * EbmlElement::FindNextElement(IOCallback & DataStream, const EbmlSe
bFound = false;
break;
}
+ if (MaxDataSize <= ReadSize) {
+ bFound = false;
+ break;
+ }
if( DataStream.read( &PossibleIdNSize[SizeIdx++], 1 ) == 0 ) {
return NULL; // no more data ?
}
@@ -454,16 +462,15 @@ EbmlElement * EbmlElement::FindNextElement(IOCallback & DataStream, const EbmlSe
// 0 : child
// 1 : same level
// + : further parent
- if (Result->ValidateSize() && (SizeFound == SizeUnknown || UpperLevel > 0 || MaxDataSize == 0 || MaxDataSize >= (PossibleID_Length + PossibleSizeLength + SizeFound))) {
- if (SizeFound == SizeUnknown) {
- Result->SetSizeInfinite();
+ if (Result->ValidateSize() && (SizeFound == SizeUnknown || UpperLevel > 0 || MaxDataSize == 0 ||
+ MaxDataSize >= (IdStart + PossibleID_Length + _SizeLength + SizeFound))) {
+ if (SizeFound != SizeUnknown || Result->SetSizeInfinite()) {
+ Result->ElementPosition = ParseStart + IdStart;
+ Result->SizePosition = Result->ElementPosition + PossibleID_Length;
+ // place the file at the beggining of the data
+ DataStream.setFilePointer(Result->SizePosition + _SizeLength);
+ return Result;
}
-
- Result->SizePosition = DataStream.getFilePointer() - SizeIdx + EBML_ID_LENGTH(PossibleID);
- Result->ElementPosition = Result->SizePosition - EBML_ID_LENGTH(PossibleID);
- // place the file at the beggining of the data
- DataStream.setFilePointer(Result->SizePosition + _SizeLength);
- return Result;
}
}
delete Result;
@@ -473,8 +480,9 @@ EbmlElement * EbmlElement::FindNextElement(IOCallback & DataStream, const EbmlSe
// recover all the data in the buffer minus one byte
ReadIndex = SizeIdx - 1;
memmove(&PossibleIdNSize[0], &PossibleIdNSize[1], ReadIndex);
+ IdStart++;
UpperLevel = UpperLevel_original;
- } while ( MaxDataSize > DataStream.getFilePointer() - SizeIdx + PossibleID_Length );
+ } while ( MaxDataSize >= ReadSize );
return NULL;
}
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment