During EBML node parsing the EBML element_size is used unvalidated to allocate a stack buffer to store the element contents. Since calls to alloca simply compile to a subtraction from the current stack pointer, for large sizes this can result in memory corruption and potential remote-code-execution in the mediaserver process. Tested on an LG-G4 with firmware MRA58K.
711c46670019250996b82da037a5b3ab