diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c index 2a88fc3db4..6330b15ecf 100644 --- a/libavformat/matroskadec.c +++ b/libavformat/matroskadec.c @@ -1980,11 +1980,19 @@ static int matroska_parse_block(MatroskaDemuxContext *matroska, uint8_t *data, } total += lace_size[n]; } + if (size <= total) { + res = AVERROR_INVALIDDATA; + goto end; + } lace_size[n] = size - total; break; } case 0x2: /* fixed-size lacing */ + if (size != (size / laces) * size) { + res = AVERROR_INVALIDDATA; + goto end; + } for (n = 0; n < laces; n++) lace_size[n] = size / laces; break; @@ -1995,7 +2003,8 @@ static int matroska_parse_block(MatroskaDemuxContext *matroska, uint8_t *data, if (n < 0) { av_log(matroska->ctx, AV_LOG_INFO, "EBML block data error\n"); - break; + res = n; + goto end; } data += n; size -= n; @@ -2007,13 +2016,18 @@ static int matroska_parse_block(MatroskaDemuxContext *matroska, uint8_t *data, if (r < 0) { av_log(matroska->ctx, AV_LOG_INFO, "EBML block data error\n"); - break; + res = r; + goto end; } data += r; size -= r; lace_size[n] = lace_size[n - 1] + snum; total += lace_size[n]; } + if (size <= total) { + res = AVERROR_INVALIDDATA; + goto end; + } lace_size[laces - 1] = size - total; break; }