There's a catch 22 type situation: the `Util::Settings` class requires
the `Application` class to have been instantiated in order to set a
lot of default values when the ini file doesn't exist or when certain
settings don't exist in it. However, the DPI scaling must be set
before the `Application` class is instantiated, and that setting is
stored in said ini file.
As a workaround read this one setting from the ini file directly
without slurping the whole ini file into the `Util::Settings`
instance. This only requires an instance of `QSettings` which, in
turn, only requires that the organization name & domain as well as the
application name have been set in `QApplication`.
Fixes#2424.
The resource compiler includes identifiers that aren't defined as
preprocessor symbols verbatim as strings. Normally `RT_MANIFEST` is
defined as the integer resource 24, but if the header file where it is
defined (`winuser.h`) isn't included, the verbatim string
`RT_MANIFEST` will be used silently.
See #2415.
Older libEBML or libMatroska versions don't validate the parent/child
sizes properly. This means that tests running on those older versions
cause mkvinfo to fail (with an exception = harmlessly).
The `EbmlElement::Read` function returns two values via reference
parameters. They're called `UpperEltFound` (an integer) and
`FoundElt` (a pointer to an EBML element). They're used for passing
back the first element found (if any) that is not a child of the
element currently being read so that the calling code can continue
parsing the file using the upper-level element.
If the calling code doesn't need that element, it has to delete it
itself. However, the code must not simply rely on the `FoundElt`
pointer being not null as the `Read` function assigns temporary
results to that variable. Depending on the file content, that
temporary element may have already been deleted by the `Read`
function. When the calling code then simply deletes `FoundElt` itself,
this leads to a typical case of use-after-free.
Instead the calling code must only work with the returned `FoundElt`
pointer if the other returned value, `UpperEltFound`, trueish in the
C++ sense (if it isn't 0). Then and only then may the calling code
attempt to delete the object `FoundElt` points to.
This vulnerability allows arbitrary code execution via specially
crafted Matroska files. It was reported by Cisco TALOS on 2018-10-25
and is known as TALOS 2018-0694.
The info tool uses a loop scanning level 1 elements starting with the
first cluster in order to provide a response UI to the user. That loop
is exited when the end of the file is reached or a higher-level
element (level 0) is encountered.
The `EbmlStream::FindNextElement` function used for retrieving the
next element sets the `upper_lvl_el` parameter to a non-zero value
when it finds global elements such as an EBML Void element. However, a
scan of level 1 elements should not abort on an EBML Void
element (generally on any type of global elements) but only when a
real level 0 element is found.
Fixes#2413.
The two header fields `delta_frame_id_length_minus2` and
`additional_frame_id_length_minus1` are only present if
`reduced_still_picture_header` is not set but
`frame_id_numbers_present_flag` is.
Part of the fix for #2410.
When surrounding elements have been written using eight-byte size
length fields, the analyzer cannot enlarge the element
anymore. Instead, it can shrink them by one byte and move the head
up. That way the former one-byte gap will become a two-byte gap
instead. A new, empty EBML void element can then be placed in the gap
instead.
libavformat from ffmpeg/libav writes most level 1 elements with
eight-byte size length fields. Files created by it are therefore the
prime candidate for hitting this but.
Fixes#2406.
