contrib: matroska: do not use invalid lace sizes

https://hackerone.com/reports/493336



Signed-off-by: Hugo Beauzée-Luyssen <hugo@beauzee.fr>

contrib/src/matroska/0001-KaxBlock-do-not-attempt-to-use-laced-sizes-that-are-.patch

+From 1ec615ec2b825523ecb1132794bbe771d2817b70 Mon Sep 17 00:00:00 2001
+From: Steve Lhomme <robux4@ycbcr.xyz>
+Date: Mon, 11 Feb 2019 12:15:58 +0100
+Subject: [PATCH] KaxBlock: do not attempt to use laced sizes that are clearly
+ invalid
+
+---
+ src/KaxBlock.cpp | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/src/KaxBlock.cpp b/src/KaxBlock.cpp
+index 878d9a2..a1df83e 100644
+--- a/src/KaxBlock.cpp
++++ b/src/KaxBlock.cpp
+@@ -628,7 +628,8 @@ filepos_t KaxInternalBlock::ReadData(IOCallback & input, ScopeMode ReadFully)
+       // put all Frames in the list
+       if (mLacing != LACING_NONE) {
+         // read the number of frames in the lace
+-        uint32 LastBufferSize = GetSize() - BlockHeadSize - 1; // 1 for number of frame
++        const uint32 TotalLacedSize = GetSize() - BlockHeadSize - 1; // 1 for number of frame
++        uint32 LastBufferSize = TotalLacedSize;
+         uint8 FrameNum = _TempHead[0]; // number of frames in the lace - 1
+         // read the list of frame sizes
+         uint8 Index;
+@@ -646,6 +647,8 @@ filepos_t KaxInternalBlock::ReadData(IOCallback & input, ScopeMode ReadFully)
+               do {
+                 Result += input.read(_TempHead, 1);
+                 FrameSize += uint8(_TempHead[0]);
++                if (FrameSize > TotalLacedSize)
++                    throw SafeReadIOCallback::EndOfStreamX(0);
+                 LastBufferSize--;
+ 
+                 FirstFrameLocation++;
+@@ -662,6 +665,8 @@ filepos_t KaxInternalBlock::ReadData(IOCallback & input, ScopeMode ReadFully)
+             cursor = _tmpBuf = new binary[FrameNum*4]; /// \warning assume the mean size will be coded in less than 4 bytes
+             Result += input.read(cursor, FrameNum*4);
+             FrameSize = ReadCodedSizeValue(cursor, SizeRead, SizeUnknown);
++            if (FrameSize > TotalLacedSize)
++                throw SafeReadIOCallback::EndOfStreamX(0);
+             SizeList[0] = FrameSize;
+             cursor += SizeRead;
+             LastBufferSize -= FrameSize + SizeRead;
+@@ -670,6 +675,8 @@ filepos_t KaxInternalBlock::ReadData(IOCallback & input, ScopeMode ReadFully)
+               // get the size of the frame
+               SizeRead = LastBufferSize;
+               FrameSize += ReadCodedSizeSignedValue(cursor, SizeRead, SizeUnknown);
++              if (FrameSize > TotalLacedSize)
++                  throw SafeReadIOCallback::EndOfStreamX(0);
+               SizeList[Index] = FrameSize;
+               cursor += SizeRead;
+               LastBufferSize -= FrameSize + SizeRead;
+-- 
+2.19.1.windows.1
+

contrib/src/matroska/rules.mak

@@ -19,6 +19,7 @@ $(TARBALLS)/libmatroska-$(MATROSKA_VERSION).tar.xz:
 libmatroska: libmatroska-$(MATROSKA_VERSION).tar.xz .sum-matroska
 	$(UNPACK)
 	$(APPLY) $(SRC)/matroska/0001-KaxBlock-don-t-reset-potentially-unallocated-memory.patch
+	$(APPLY) $(SRC)/matroska/0001-KaxBlock-do-not-attempt-to-use-laced-sizes-that-are-.patch
 	$(call pkg_static,"libmatroska.pc.in")
 	$(MOVE)