diff -ruwbBd libmatroska-1.5.0/src/KaxBlock.cpp libmatroska-1.5.1/src/KaxBlock.cpp --- libmatroska-1.5.0/src/KaxBlock.cpp 2019-03-12 20:54:34.000000000 +0100 +++ libmatroska-1.5.1/src/KaxBlock.cpp 2019-05-25 12:16:54.000000000 +0200 @@ -628,11 +628,12 @@ // put all Frames in the list if (mLacing != LACING_NONE) { // read the number of frames in the lace - uint32 LastBufferSize = GetSize() - BlockHeadSize - 1; // 1 for number of frame + const uint32 TotalLacedSize = GetSize() - BlockHeadSize - 1; // 1 for number of frame + uint32 LastBufferSize = TotalLacedSize; uint8 FrameNum = _TempHead[0]; // number of frames in the lace - 1 // read the list of frame sizes uint8 Index; - int32 FrameSize; + uint32 FrameSize; uint32 SizeRead; uint64 SizeUnknown; @@ -646,6 +647,8 @@ do { Result += input.read(_TempHead, 1); FrameSize += uint8(_TempHead[0]); + if (FrameSize > TotalLacedSize) + throw SafeReadIOCallback::EndOfStreamX(0); LastBufferSize--; FirstFrameLocation++; @@ -662,6 +665,8 @@ cursor = _tmpBuf = new binary[FrameNum*4]; /// \warning assume the mean size will be coded in less than 4 bytes Result += input.read(cursor, FrameNum*4); FrameSize = ReadCodedSizeValue(cursor, SizeRead, SizeUnknown); + if (FrameSize > TotalLacedSize) + throw SafeReadIOCallback::EndOfStreamX(0); SizeList[0] = FrameSize; cursor += SizeRead; LastBufferSize -= FrameSize + SizeRead; @@ -670,6 +675,8 @@ // get the size of the frame SizeRead = LastBufferSize; FrameSize += ReadCodedSizeSignedValue(cursor, SizeRead, SizeUnknown); + if (FrameSize > TotalLacedSize) + throw SafeReadIOCallback::EndOfStreamX(0); SizeList[Index] = FrameSize; cursor += SizeRead; LastBufferSize -= FrameSize + SizeRead; @@ -703,7 +710,6 @@ } catch (SafeReadIOCallback::EndOfStreamX &) { SetValueIsSet(false); - std::memset(EbmlBinary::GetBuffer(), 0, GetSize()); myBuffers.clear(); SizeList.clear(); Timecode = 0;