From ff2f2a8b04fb04e0284996a483cb6ed4ad8791b2 Mon Sep 17 00:00:00 2001
From: Eric Hameleers <alien@slackware.com>
Date: Mon, 27 May 2019 13:34:52 +0000
Subject: Initial revision

---
 vlc/build/patches/ffmpeg_mkv-overshoot.patch | 24 ++++++++++++++++++++++++
 1 file changed, 24 insertions(+)
 create mode 100644 vlc/build/patches/ffmpeg_mkv-overshoot.patch

diff --git a/vlc/build/patches/ffmpeg_mkv-overshoot.patch b/vlc/build/patches/ffmpeg_mkv-overshoot.patch
new file mode 100644
index 00000000..742893b0
--- /dev/null
+++ b/vlc/build/patches/ffmpeg_mkv-overshoot.patch
@@ -0,0 +1,24 @@
+#ffmpeg: don't use EBML elements in Matroska that are bigger than their parents.
+#https://hackerone.com/reports/492882
+
+--- ffmpeg/libavformat/matroskadec.c.overshoot	2019-02-11 16:03:57.375444600 +0100
++++ ffmpeg/libavformat/matroskadec.c	2019-02-11 16:04:04.418307200 +0100
+@@ -1197,6 +1197,18 @@ static int ebml_parse_elem(MatroskaDemux
+                    length, max_lengths[syntax->type], syntax->type);
+             return AVERROR_INVALIDDATA;
+         }
++        if (matroska->num_levels > 0) {
++            MatroskaLevel *level = &matroska->levels[matroska->num_levels - 1];
++            AVIOContext *pb = matroska->ctx->pb;
++            int64_t pos = avio_tell(pb);
++            if (level->length != (uint64_t) -1 &&
++                (pos + length) > (level->start + level->length)) {
++                av_log(matroska->ctx, AV_LOG_ERROR,
++                       "Invalid length 0x%"PRIx64" > 0x%"PRIx64" in parent\n",
++                       length, level->start + level->length);
++                return AVERROR_INVALIDDATA;
++            }
++        }
+     }
+ 
+     switch (syntax->type) {
-- 
cgit v1.2.3