From bc5b7035ae992729151ad2e7ba24da251c4a66b5 Mon Sep 17 00:00:00 2001
From: Steve Lhomme <robux4@ycbcr.xyz>
Date: Tue, 2 Jun 2026 11:37:54 +0200
Subject: [PATCH] EbmlMaster: fix leak on upper element found inside the last
 element

We found an upper element and there is not data to read after the current
element within its parent. That upper element is misplaced and should be
discarded.
The last element is truncated and doesn't contain the rest of its data.
---
 src/EbmlMaster.cpp | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/src/EbmlMaster.cpp b/src/EbmlMaster.cpp
index 13409312..5f210ff0 100644
--- a/src/EbmlMaster.cpp
+++ b/src/EbmlMaster.cpp
@@ -445,8 +445,13 @@ void EbmlMaster::Read(EbmlStream & inDataStream, const EbmlSemanticContext & sCo
 
           if (UpperEltFound) {
             --UpperEltFound;
-            if (UpperEltFound > 0 || MaxSizeToRead <= 0)
+            if (UpperEltFound > 0)
               goto processCrc;
+            if (MaxSizeToRead <= 0) {
+              delete FoundElt;
+              FoundElt = nullptr;
+              goto processCrc;
+            }
             ElementLevelA = FoundElt;
           }
 
@@ -458,6 +463,11 @@ void EbmlMaster::Read(EbmlStream & inDataStream, const EbmlSemanticContext & sCo
         UpperEltFound--;
         if (UpperEltFound > 0)
           goto processCrc;
+        if (MaxSizeToRead <= 0) {
+          delete FoundElt;
+          FoundElt = nullptr;
+          goto processCrc;
+        }
         ElementLevelA = FoundElt;
         if (IsFiniteSize() && ElementLevelA->IsFiniteSize()) {
           MaxSizeToRead = GetEndPosition() - ElementLevelA->GetEndPosition(); // even if it's the default value