Steve Lhomme pushed to branch master at VideoLAN / VLC
Commits:
4219757a by Mathias APARICIO at 2026-01-22T19:04:29+00:00
demux: mkv: fix stack overflow in script interpreter
OSS-Fuzz 4838250396319744 identified a stack overflow in the Interpret
function (looping between frames 3 and 12).
This patch introduces a recursion depth check M_MS_MAX_DEPTH 8 (the matroska
specification lists 7 chapter layers in the menu
https://www.matroska.org/technical/chapter_codecs.html#:~:text=DVD%20menu) to
prevent stack exhaustion.
The counter is static thread_local so that the value is not discarded after
return and is not mutated by other threads.
Tackles videolan/vlc#29553
- - - - -
1 changed file:
- modules/demux/mkv/chapter_command_script.cpp
Changes:
=====================================
modules/demux/mkv/chapter_command_script.cpp
=====================================
@@ -11,6 +11,7 @@
namespace mkv {
+#define M_MS_MAX_DEPTH 8
//Matroska Script
const std::string matroska_script_interpretor_c::CMD_MS_GOTO_AND_PLAY =
"GotoAndPlay";
@@ -18,6 +19,11 @@ const std::string
matroska_script_interpretor_c::CMD_MS_GOTO_AND_PLAY = "GotoAnd
// for a description of existing commands
bool matroska_script_interpretor_c::Interpret( MatroskaChapterProcessTime
time, const binary * p_command, size_t i_size )
{
+ static thread_local int n_call = 0;
+ if( n_call > M_MS_MAX_DEPTH )
+ return false;
+ n_call++;
+
bool b_result = false;
std::string sz_command( reinterpret_cast<const char*> (p_command), i_size
);
@@ -76,6 +82,7 @@ bool matroska_script_interpretor_c::Interpret(
MatroskaChapterProcessTime time,
}
}
+ n_call--;
return b_result;
}
View it on GitLab:
https://code.videolan.org/videolan/vlc/-/commit/4219757a3c6e0897e86b59ef5b5a7154ffe07386
--
View it on GitLab:
https://code.videolan.org/videolan/vlc/-/commit/4219757a3c6e0897e86b59ef5b5a7154ffe07386
You're receiving this email because of your account on code.videolan.org.
VideoLAN code repository instance_______________________________________________
vlc-commits mailing list
[email protected]
https://mailman.videolan.org/listinfo/vlc-commits
