[Matroska-devel] A possible bug/problem in the EbmlBinary::ReadData()

Krzysztof.Helt at teleste.com Krzysztof.Helt at teleste.com
Fri Jul 18 12:32:33 CEST 2014


Hi,

I have encountered a problem that is possibly a bug in the ebml/matroska library.

In the function EbmlMaster::Read() the line:

ElementLevelA = inDataStream.FindNextElement(sContext, UpperEltFound, MaxSizeToRead, AllowDummyElt);

returned the KaxBlockVirtual class object. Few lines below, the read was called:

ElementLevelA->Read(inDataStream, ElementLevelA->Generic().Context, UpperEltFound, FoundElt, AllowDummyElt, ReadFully);

And it goes down to the function EbmlBinary::ReadData(), which starts with the code:

  if (Data != NULL)
      free(Data);

The problem here is that the KaxBlockVirtual class assigns the Data pointer to internal class' buffer called DataBlock. Freeing such a pointer is reported as a heap error because the pointer is not a valid pointer on the heap.
 
It is possible that the read file is damaged but the library should not crash the application.

The similar problem was solved here:

http://lists.helixcommunity.org/pipermail/datatype-dev/2010-August/009779.html

" > Synopsis: Class KaxBlockVirtual derives from class EBMLBinary which 
> contains a pointer "Data".
> KaxBlockVirtual constructor sets this pointer to a statically allocated 
> array member.
> EBMLBinary destructor free this pointer if not NULL. KaxBlockVirtual 
> doesn't have any destructor. This results in attempt to free statically 
> allocated memory when KaxBlockVirtual instance is deleted, causing a panic.
>  
> Solution: Add a destructor in KaxBlockVirtual that resets base class 
> Data pointer to NULL.
> Also made changes to protect other mallocs in library."

but the EbmlBinary::ReadData() was not protected.

What would be the correct way to fix this problem?

Best regards,
Krzysztof Helt



More information about the Matroska-devel mailing list