From 081f2d00aa7fb243e53c2343ecbe8def31c53a0c Mon Sep 17 00:00:00 2001
From: =?utf8?q?Philip=20J=C3=A4genstedt?= <philipj@opera.com>
Date: Thu, 13 May 2010 12:10:54 +0200
Subject: [PATCH] matroskademux: Verify lace size in
 _parse_blockgroup_or_simpleblock

Failure to do this for corrupt input can cause a subbuffer bigger
than the actual buffer to be created, quickly leading to segfault.
Test case:
bug_s222005751_r0.001____memcpy.webm
---
 gst/matroska/matroska-demux.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/gst/matroska/matroska-demux.c b/gst/matroska/matroska-demux.c
index 0dfd941..8478893 100644
--- a/gst/matroska/matroska-demux.c
+++ b/gst/matroska/matroska-demux.c
@@ -4636,6 +4636,11 @@ gst_matroska_demux_parse_blockgroup_or_simpleblock (GstMatroskaDemux * demux,
     for (n = 0; n < laces; n++) {
       GstBuffer *sub;
 
+      if (G_UNLIKELY (lace_size[n] > size)) {
+        GST_WARNING_OBJECT (demux, "Invalid lace size");
+        break;
+      }
+
       sub = gst_buffer_create_sub (buf,
           GST_BUFFER_SIZE (buf) - size, lace_size[n]);
       GST_DEBUG_OBJECT (demux, "created subbuffer %p", sub);
-- 
2.7.4