When the parser encountered a deeply nested element with an infinite size then a following element of an upper level was not propagated correctly. Instead the element with the infinite size was added into the EBML element tree a second time resulting in memory access after freeing it and multiple attempts to free the same memory address during destruction. Upstream patch: https://github.com/Matroska-Org/libebml/commit/88409e2a94dd3b40ff81d08bf6d92f486d036b24
Created libebml tracking bugs for this issue: Affects: fedora-all [bug 1276336] Affects: epel-all [bug 1276337]
Added CVE according to http://www.cvedetails.com/cve/CVE-2015-8789/
*** Bug 1412632 has been marked as a duplicate of this bug. ***