Stowage/godot
2
0
Fork 0
mirror of https://github.com/godotengine/godot.git synced 2025-10-19 16:03:29 +00:00
Code Issues Projects Releases Packages Wiki Activity

Fix double free in ContentEncoding

Browse source 
Origin: 6a7c84a244
Author: James Zern <jzern@google.com>

-----
This is a security fix for CVE-2019-2126. Godot currently contains a vulnerable version of libwebm in its 3.6 branch that is susceptible to a double free due to a missing reset of a freed pointer. This commit corrects that issue.
This commit is contained in:
John Breton 2025-06-20 15:38:56 -04:00 committed by john-breton
parent ac8b19e5ab
commit 0e1cda420f
No known key found for this signature in database
GPG key ID: F294825506581F28
1 changed files with 9 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

8
thirdparty/libsimplewebm/libwebm/mkvparser/mkvparser.cc vendored
View file

@ -4232,6 +4232,7 @@ long ContentEncoding::ParseContentEncodingEntry(long long start, long long size,
new (std::nothrow) ContentEncryption*[encryption_count]; new (std::nothrow) ContentEncryption*[encryption_count];
if (!encryption_entries_) { if (!encryption_entries_) {
delete[] compression_entries_; delete[] compression_entries_;
compression_entries_ = NULL;
return -1; return -1;
} }
encryption_entries_end_ = encryption_entries_; encryption_entries_end_ = encryption_entries_;
@ -4263,6 +4264,7 @@ long ContentEncoding::ParseContentEncodingEntry(long long start, long long size,
delete compression; delete compression;
return status; return status;
} }
assert(compression_count > 0);
*compression_entries_end_++ = compression; *compression_entries_end_++ = compression;
} else if (id == libwebm::kMkvContentEncryption) { } else if (id == libwebm::kMkvContentEncryption) {
ContentEncryption* const encryption = ContentEncryption* const encryption =
@ -4275,6 +4277,7 @@ long ContentEncoding::ParseContentEncodingEntry(long long start, long long size,
delete encryption; delete encryption;
return status; return status;
} }
assert(encryption_count > 0);
*encryption_entries_end_++ = encryption; *encryption_entries_end_++ = encryption;
} }
@ -4326,6 +4329,11 @@ long ContentEncoding::ParseCompressionEntry(long long start, long long size,
delete[] buf; delete[] buf;
return status; return status;
} }
// There should be only one settings element per content compression.
if (compression->settings != NULL) {
delete[] buf;
return E_FILE_FORMAT_INVALID;
}
compression->settings = buf; compression->settings = buf;
compression->settings_len = buflen; compression->settings_len = buflen;