The EBML_BufferToID function in ebmlelement.c in libebml2 through 2012-08-26 allows remote attackers to cause a denial of service (Null pointer dereference and application crash) via a crafted mkv file.
http://packetstormsecurity.com/files/144902/mkvalidator-0.5.1-Denial-Of-Service.html