librmff: avoid invalid memory access in frame assembly due to invalid vpkg data

Fixes #2691.

NEWS.md

@@ -7,6 +7,8 @@
   track headers. Fixes #2687.
 * mkvmerge: RealMedia reader: fixed a division by zero when all audio
   timestamps were zero. Fixes #2689.
+* mkvmerge: RealMedia reader: fixed an invalid memory access in the video
+  frame assembly code triggered by invalid data in the file. Fixes #2691.
 
 
 # Version 41.0.0 "Smarra" 2019-12-06

lib/librmff/rmff.c

@@ -1837,6 +1837,9 @@ rmff_assemble_packed_video_frame(rmff_track_t *track,
         vpkg_offset = vpkg_length - vpkg_offset;
     }
 
+    if (vpkg_offset > vpkg_length)
+      return RMFF_ERR_DATA;
+
     if (data_len < (int)(vpkg_length - vpkg_offset))
       len = data_len;
     else

tests/results.txt

@@ -527,3 +527,4 @@ T_678rf64:20f16e90d6877679fc0deada17ab520b:passed:20191202-223330:0.055722438
 T_679wavpack_from_matroska:a9d6590516393bccea1a8e016afe4752-a9d6590516393bccea1a8e016afe4752:passed:20191204-223048:0.048046831
 T_680header_removal_compression_without_removed_data:3cbd3bb644d9d5fe781669f1cc8a61c9:passed:20191207-095300:0.009447331
 T_681real_audio_all_timestamps_zero:1bcf53236fb6abd562407b35dd6595db:passed:20191207-125307:0.008037683
+T_682invalid_memory_access_in_frame_assembly:19be7bb0c0ed49e264913b7de0fc69e9:passed:20191207-154924:0.033725907

tests/test-682invalid_memory_access_in_frame_assembly.rb

@@ -0,0 +1,5 @@
+#!/usr/bin/ruby -w
+
+# T_682invalid_memory_access_in_frame_assembly
+describe "mkvmerge / RealMedia invalid memory access during frame assembly"
+test_merge "data/rm/invalid_memory_access_in_frame_assembly.rm", :exit_code => :warning