CVE-2015-8790
A specially crafted unicode string can cause an off-by-few read on the heap in unicode string parsing code in libebml. This issue can potentialy be used for information leaks.
http://matroska.org
An off-by-few read on heap occurs when parsing unicode strings in
EbmlUnicodeString.cpp:UTFstring::UpdateFromUTF8
. String is parsed
in a for loop but in case of a four byte character, no check is made
if the last bytes accessed fall outside the allocated buffer:
Technical information below:
Vulnerable code is located in EbmlUnicodeString.cpp:UTFstring::UpdateFromUTF8
:
for (j=0, i=0; i<UTF8string.length(); j++) {
uint8 lead = static_cast
If the last byte in the string being parsed satisfies the
else if ((lead >> 3) == 0x1e)
condition, for example 0xf2, 3 bytes
past the end of the buffer will be read thereby causing a out of
bounds read on the heap.
Richard Johnson and Aleksandar Nikolic