From 6d31619af2826adfe5aa71990cebafa8cbd6ecde Mon Sep 17 00:00:00 2001
From: James Almer <jamrial@gmail.com>
Date: Fri, 7 Apr 2023 13:59:33 -0300
Subject: [PATCH] avformat/matroskadec: validate MaxBlockAdditionID in the
 presence of BlockAdditions

The Matroska spec requires it to be equal to the highest BlockAddID value in a
BlockAdditions, but being purely an informative element, only abort if strict
compliance is requested, as demuxing is otherwise unaffected.

Signed-off-by: James Almer <jamrial@gmail.com>
---
 libavformat/matroskadec.c | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)

diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c
index d6ad778399..a3846106bf 100644
--- a/libavformat/matroskadec.c
+++ b/libavformat/matroskadec.c
@@ -3659,6 +3659,16 @@ static int matroska_parse_block_additional(MatroskaDemuxContext *matroska,
     uint8_t *side_data;
     int res;
 
+    if (!matroska->is_webm && track->max_block_additional_id && id > track->max_block_additional_id) {
+        int strict = matroska->ctx->strict_std_compliance >= FF_COMPLIANCE_STRICT;
+        av_log(matroska->ctx, strict ? AV_LOG_ERROR : AV_LOG_WARNING,
+               "BlockAddID %"PRIu64" is higher than the reported MaxBlockAdditionID %"PRIu64" "
+               "for Track with TrackNumber %"PRIu64"\n", id, track->max_block_additional_id,
+               track->num);
+        if (strict)
+            return AVERROR_INVALIDDATA;
+    }
+
     for (int i = 0; i < mappings_list->nb_elem; i++) {
         if (id != mappings[i].value)
             continue;
@@ -3767,6 +3777,17 @@ static int matroska_parse_frame(MatroskaDemuxContext *matroska,
     if (!pkt_size && !nb_blockmore)
         goto no_output;
 
+    if (!matroska->is_webm && nb_blockmore && !track->max_block_additional_id) {
+        int strict = matroska->ctx->strict_std_compliance >= FF_COMPLIANCE_STRICT;
+        av_log(matroska->ctx, strict ? AV_LOG_ERROR : AV_LOG_WARNING,
+               "Unexpected BlockAdditions found in a Block from Track with TrackNumber %"PRIu64" "
+               "where MaxBlockAdditionID is 0\n", track->num);
+        if (strict) {
+            res = AVERROR_INVALIDDATA;
+            goto fail;
+        }
+    }
+
     if (!buf)
         pkt->buf = av_buffer_create(pkt_data, pkt_size + AV_INPUT_BUFFER_PADDING_SIZE,
                                     NULL, NULL, 0);