diff options
| author | Matthias Hopf <mhopf@suse.de> | 2009-01-04 17:21:46 +0000 | 
|---|---|---|
| committer | Matthias Hopf <mhopf@suse.de> | 2009-01-04 17:21:46 +0000 | 
| commit | 0c51806592bae19fbc4f1f6615e5b3f4cb8e7dc3 (patch) | |
| tree | edc869e912cdf626c2faf9656bd29a4641bba3a0 | |
| parent | 49d4eec32b8c05eadfaf9c42b3dcd7407815fd9a (diff) | |
| download | xine-lib-0c51806592bae19fbc4f1f6615e5b3f4cb8e7dc3.tar.gz xine-lib-0c51806592bae19fbc4f1f6615e5b3f4cb8e7dc3.tar.bz2 | |
Fix for CVE-2008-5239
xine-lib 1.1.12, and other 1.1.15 and earlier versions, does not
properly handle (a) negative and (b) zero values during unspecified
read function calls in input_file.c, input_net.c, input_smb.c, and
input_http.c, which allows remote attackers to cause a denial of
service (crash) or possibly execute arbitrary code via vectors such as
(1) a file or (2) an HTTP response, which triggers consequences such
as out-of-bounds reads and heap-based buffer overflows.
| -rw-r--r-- | src/input/input_dvb.c | 4 | ||||
| -rw-r--r-- | src/input/input_dvd.c | 3 | ||||
| -rw-r--r-- | src/input/input_file.c | 8 | ||||
| -rw-r--r-- | src/input/input_gnome_vfs.c | 5 | ||||
| -rw-r--r-- | src/input/input_http.c | 15 | ||||
| -rw-r--r-- | src/input/input_mms.c | 5 | ||||
| -rw-r--r-- | src/input/input_net.c | 12 | ||||
| -rw-r--r-- | src/input/input_pnm.c | 18 | ||||
| -rw-r--r-- | src/input/input_pvr.c | 6 | ||||
| -rw-r--r-- | src/input/input_rtp.c | 12 | ||||
| -rw-r--r-- | src/input/input_rtsp.c | 18 | ||||
| -rw-r--r-- | src/input/input_smb.c | 7 | ||||
| -rw-r--r-- | src/input/input_stdin_fifo.c | 13 | 
13 files changed, 112 insertions, 14 deletions
| diff --git a/src/input/input_dvb.c b/src/input/input_dvb.c index 19b479a06..29a38bbf1 100644 --- a/src/input/input_dvb.c +++ b/src/input/input_dvb.c @@ -2602,6 +2602,10 @@ static buf_element_t *dvb_plugin_read_block (input_plugin_t *this_gen,    buf_element_t        *buf = fifo->buffer_pool_alloc (fifo);    int                   total_bytes; +  if (todo < 0 || todo > buf->size) { +    buf->free_buffer (buf); +    return NULL; +  }    buf->content = buf->mem;    buf->type    = BUF_DEMUX_BLOCK; diff --git a/src/input/input_dvd.c b/src/input/input_dvd.c index a845d7628..ff3000e5d 100644 --- a/src/input/input_dvd.c +++ b/src/input/input_dvd.c @@ -850,6 +850,9 @@ static buf_element_t *dvd_plugin_read_block (input_plugin_t *this_gen,  static off_t dvd_plugin_read (input_plugin_t *this_gen, char *ch_buf, off_t len) {  /*  dvd_input_plugin_t *this = (dvd_input_plugin_t*)this_gen; */ +  if (len < 4) +    return -1; +    /* FIXME: Tricking the demux_mpeg_block plugin */    ch_buf[0] = 0;    ch_buf[1] = 0; diff --git a/src/input/input_file.c b/src/input/input_file.c index 774f6b081..690913aa4 100644 --- a/src/input/input_file.c +++ b/src/input/input_file.c @@ -145,6 +145,9 @@ static int check_mmap_file(file_input_plugin_t *this) {  static off_t file_plugin_read (input_plugin_t *this_gen, char *buf, off_t len) {    file_input_plugin_t *this = (file_input_plugin_t *) this_gen; +  if (len < 0) +    return -1; +  #ifdef HAVE_MMAP    if ( check_mmap_file(this) ) {      off_t l = len; @@ -166,6 +169,11 @@ static buf_element_t *file_plugin_read_block (input_plugin_t *this_gen, fifo_buf    file_input_plugin_t  *this = (file_input_plugin_t *) this_gen;    buf_element_t        *buf = fifo->buffer_pool_alloc (fifo); +  if (todo < 0 || todo > buf->size) { +    buf->free_buffer (buf); +    return NULL; +  } +    buf->type = BUF_DEMUX_BLOCK;  #ifdef HAVE_MMAP diff --git a/src/input/input_gnome_vfs.c b/src/input/input_gnome_vfs.c index 0848b9206..ec025f7b5 100644 --- a/src/input/input_gnome_vfs.c +++ b/src/input/input_gnome_vfs.c @@ -121,6 +121,11 @@ gnomevfs_plugin_read_block (input_plugin_t *this_gen, fifo_buffer_t *fifo,  	off_t total_bytes;  	buf_element_t *buf = fifo->buffer_pool_alloc (fifo); +	if (todo < 0 || todo > buf->size) { +		buf->free_buffer (buf); +		return NULL; +	} +  	buf->content = buf->mem;  	buf->type = BUF_DEMUX_BLOCK; diff --git a/src/input/input_http.c b/src/input/input_http.c index 169a0d384..3cb745656 100644 --- a/src/input/input_http.c +++ b/src/input/input_http.c @@ -421,6 +421,9 @@ static off_t http_plugin_read (input_plugin_t *this_gen,    num_bytes = 0; +  if (nlen < 0) +    return -1; +    if (this->curpos < this->preview_size) {      if (nlen > (this->preview_size - this->curpos)) @@ -437,7 +440,7 @@ static off_t http_plugin_read (input_plugin_t *this_gen,    n = nlen - num_bytes; -  if (n) { +  if (n > 0) {      int read_bytes;      read_bytes = http_plugin_read_int (this, &buf[num_bytes], n); @@ -503,6 +506,11 @@ static buf_element_t *http_plugin_read_block (input_plugin_t *this_gen, fifo_buf    off_t                 total_bytes;    buf_element_t        *buf = fifo->buffer_pool_alloc (fifo); +  if (todo < 0 || todo > buf->size) { +    buf->free_buffer (buf); +    return NULL; +  } +    buf->content = buf->mem;    buf->type = BUF_DEMUX_BLOCK; @@ -554,7 +562,7 @@ static off_t http_plugin_seek(input_plugin_t *this_gen, off_t offset, int origin    if ((origin == SEEK_CUR) && (offset >= 0)) {      for (;((int)offset) - BUFSIZE > 0; offset -= BUFSIZE) { -      if( !this_gen->read (this_gen, this->seek_buf, BUFSIZE) ) +      if( this_gen->read (this_gen, this->seek_buf, BUFSIZE) <= 0 )          return this->curpos;      } @@ -576,7 +584,7 @@ static off_t http_plugin_seek(input_plugin_t *this_gen, off_t offset, int origin        offset -= this->curpos;        for (;((int)offset) - BUFSIZE > 0; offset -= BUFSIZE) { -        if( !this_gen->read (this_gen, this->seek_buf, BUFSIZE) ) +        if( this_gen->read (this_gen, this->seek_buf, BUFSIZE) <= 0 )            return this->curpos;        } @@ -996,6 +1004,7 @@ static int http_plugin_open (input_plugin_t *this_gen ) {      this->preview_size = http_plugin_read_int (this, this->preview, MAX_PREVIEW_SIZE);    }    if (this->preview_size < 0) { +    this->preview_size = 0;      xine_log (this->stream->xine, XINE_LOG_MSG, _("input_http: read error %d\n"), errno);      return -12;    } diff --git a/src/input/input_mms.c b/src/input/input_mms.c index 158b40448..d5cc0a2ac 100644 --- a/src/input/input_mms.c +++ b/src/input/input_mms.c @@ -122,6 +122,11 @@ static buf_element_t *mms_plugin_read_block (input_plugin_t *this_gen,    lprintf ("mms_plugin_read_block: %"PRId64" bytes...\n", todo); +  if (todo < 0 || todo > buf->size) { +    buf->free_buffer (buf); +    return NULL; +  } +    buf->content = buf->mem;    buf->type = BUF_DEMUX_BLOCK; diff --git a/src/input/input_net.c b/src/input/input_net.c index 391f33a60..719203ff9 100644 --- a/src/input/input_net.c +++ b/src/input/input_net.c @@ -253,6 +253,9 @@ static off_t net_plugin_read (input_plugin_t *this_gen,    lprintf("reading %" PRIdMAX " bytes...\n", (intmax_t)len); +  if (len < 0) +    return -1; +    total=0;    if (this->curpos < this->preview_size) {      n = this->preview_size - this->curpos; @@ -288,6 +291,11 @@ static buf_element_t *net_plugin_read_block (input_plugin_t *this_gen,    buf_element_t        *buf = fifo->buffer_pool_alloc (fifo);    off_t                 total_bytes; +  if (todo < 0 || todo > buf->size) { +    buf->free_buffer (buf); +    return NULL; +  } +    buf->content = buf->mem;    buf->type = BUF_DEMUX_BLOCK; @@ -331,7 +339,7 @@ static off_t net_plugin_seek (input_plugin_t *this_gen, off_t offset, int origin    if ((origin == SEEK_CUR) && (offset >= 0)) {      for (;((int)offset) - BUFSIZE > 0; offset -= BUFSIZE) { -      if( !this_gen->read (this_gen, this->seek_buf, BUFSIZE) ) +      if( this_gen->read (this_gen, this->seek_buf, BUFSIZE) <= 0 )          return this->curpos;      } @@ -353,7 +361,7 @@ static off_t net_plugin_seek (input_plugin_t *this_gen, off_t offset, int origin        offset -= this->curpos;        for (;((int)offset) - BUFSIZE > 0; offset -= BUFSIZE) { -        if( !this_gen->read (this_gen, this->seek_buf, BUFSIZE) ) +        if( this_gen->read (this_gen, this->seek_buf, BUFSIZE) <= 0 )            return this->curpos;        } diff --git a/src/input/input_pnm.c b/src/input/input_pnm.c index 669d24d28..af2b8add2 100644 --- a/src/input/input_pnm.c +++ b/src/input/input_pnm.c @@ -83,7 +83,8 @@ static off_t pnm_plugin_read (input_plugin_t *this_gen,    lprintf ("pnm_plugin_read: %"PRId64" bytes ...\n", len);    n = pnm_read (this->pnm, buf, len); -  this->curpos += n; +  if (n >= 0) +    this->curpos += n;    return n;  } @@ -96,6 +97,11 @@ static buf_element_t *pnm_plugin_read_block (input_plugin_t *this_gen,    lprintf ("pnm_plugin_read_block: %"PRId64" bytes...\n", todo); +  if (todo < 0 || todo > buf->size) { +    buf->free_buffer (buf); +    return NULL; +  } +    buf->content = buf->mem;    buf->type = BUF_DEMUX_BLOCK; @@ -123,10 +129,16 @@ static off_t pnm_plugin_seek (input_plugin_t *this_gen, off_t offset, int origin    if ((origin == SEEK_CUR) && (offset >= 0)) {      for (;((int)offset) - BUFSIZE > 0; offset -= BUFSIZE) { -      this->curpos += pnm_plugin_read (this_gen, this->scratch, BUFSIZE); +      off_t n = pnm_plugin_read (this_gen, this->scratch, BUFSIZE); +      if (n <= 0) +	return this->curpos; +      this->curpos += n;      } -    this->curpos += pnm_plugin_read (this_gen, this->scratch, offset); +    off_t n = pnm_plugin_read (this_gen, this->scratch, offset); +    if (n <= 0) +      return this->curpos; +    this->curpos += n;    }    return this->curpos; diff --git a/src/input/input_pvr.c b/src/input/input_pvr.c index 009c76939..18d29f6be 100644 --- a/src/input/input_pvr.c +++ b/src/input/input_pvr.c @@ -424,6 +424,9 @@ static uint32_t pvr_plugin_get_capabilities (input_plugin_t *this_gen) {  static off_t pvr_plugin_read (input_plugin_t *this_gen, char *buf, off_t len) {    /*pvr_input_plugin_t *this = (pvr_input_plugin_t *) this_gen;*/ +  if (len < 4) +    return -1; +    /* FIXME: Tricking the demux_mpeg_block plugin */    buf[0] = 0;    buf[1] = 0; @@ -1199,6 +1202,9 @@ static buf_element_t *pvr_plugin_read_block (input_plugin_t *this_gen, fifo_buff    buf_element_t        *buf;    int                   speed = _x_get_speed(this->stream); +  if (todo < 0 || todo > buf->size) +    return NULL; +    if( !this->pvr_running ) {      xprintf(this->stream->xine, XINE_VERBOSITY_DEBUG, "input_pvr: thread died, aborting\n");      return NULL;   diff --git a/src/input/input_rtp.c b/src/input/input_rtp.c index 66fcba87e..8d07eb6cf 100644 --- a/src/input/input_rtp.c +++ b/src/input/input_rtp.c @@ -453,6 +453,9 @@ static off_t rtp_plugin_read (input_plugin_t *this_gen,    struct timespec timeout;    off_t copied = 0;  +  if (length < 0) +    return -1; +    while(length > 0) {      off_t n; @@ -524,6 +527,10 @@ static buf_element_t *rtp_plugin_read_block (input_plugin_t *this_gen,    buf_element_t        *buf = fifo->buffer_pool_alloc (fifo);    int                   total_bytes; +  if (todo < 0 || todo > buf->size) { +    buf->free_buffer (buf); +    return NULL; +  }    buf->content = buf->mem;    buf->type    = BUF_DEMUX_BLOCK; @@ -609,11 +616,14 @@ static int rtp_plugin_get_optional_data (input_plugin_t *this_gen,    if (data_type == INPUT_OPTIONAL_DATA_PREVIEW) {      if (!this->preview_read_done) {        this->preview_size = rtp_plugin_read(this_gen, this->preview, MAX_PREVIEW_SIZE); +      if (this->preview_size < 0) +	this->preview_size = 0;        lprintf("Preview data length = %d\n", this->preview_size);        this->preview_read_done = 1;      } -    memcpy(data, this->preview, this->preview_size); +    if (this->preview_size) +      memcpy(data, this->preview, this->preview_size);      return this->preview_size;    }    else { diff --git a/src/input/input_rtsp.c b/src/input/input_rtsp.c index 110c4d4b6..bfe8fdf85 100644 --- a/src/input/input_rtsp.c +++ b/src/input/input_rtsp.c @@ -84,7 +84,8 @@ static off_t rtsp_plugin_read (input_plugin_t *this_gen,    lprintf ("rtsp_plugin_read: %"PRId64" bytes ...\n", len);    n = rtsp_session_read (this->rtsp, buf, len); -  this->curpos += n; +  if (n > 0) +    this->curpos += n;    return n;  } @@ -97,6 +98,11 @@ static buf_element_t *rtsp_plugin_read_block (input_plugin_t *this_gen,    lprintf ("rtsp_plugin_read_block: %"PRId64" bytes...\n", todo); +  if (todo < 0 || todo > buf->size) { +    buf->free_buffer (buf); +    return NULL; +  } +    buf->content = buf->mem;    buf->type = BUF_DEMUX_BLOCK; @@ -123,10 +129,16 @@ static off_t rtsp_plugin_seek (input_plugin_t *this_gen, off_t offset, int origi    if ((origin == SEEK_CUR) && (offset >= 0)) {      for (;((int)offset) - BUFSIZE > 0; offset -= BUFSIZE) { -      this->curpos += rtsp_plugin_read (this_gen, this->scratch, BUFSIZE); +      off_t n = rtsp_plugin_read (this_gen, this->scratch, BUFSIZE); +      if (n <= 0) +	return this->curpos; +      this->curpos += n;      } -    this->curpos += rtsp_plugin_read (this_gen, this->scratch, offset); +    off_t n = rtsp_plugin_read (this_gen, this->scratch, offset); +    if (n <= 0) +      return this->curpos; +    this->curpos += n;    }    return this->curpos; diff --git a/src/input/input_smb.c b/src/input/input_smb.c index dbab772c9..9050e6ec3 100644 --- a/src/input/input_smb.c +++ b/src/input/input_smb.c @@ -69,6 +69,8 @@ smb_plugin_read (input_plugin_t *this_gen, char *buf, off_t len)  	smb_input_t *this = (smb_input_t *) this_gen;  	off_t n, num_bytes; +	if (len < 0) +		return -1;  	num_bytes = 0;  	while (num_bytes < len) @@ -89,6 +91,11 @@ smb_plugin_read_block (input_plugin_t *this_gen, fifo_buffer_t *fifo,  	off_t total_bytes;  	buf_element_t *buf = fifo->buffer_pool_alloc (fifo); +	if (todo < 0 || todo > buf->size) { +		buf->free_buffer (buf); +		return NULL; +	} +  	buf->content = buf->mem;  	buf->type = BUF_DEMUX_BLOCK; diff --git a/src/input/input_stdin_fifo.c b/src/input/input_stdin_fifo.c index 0ae841b4b..4acd825a5 100644 --- a/src/input/input_stdin_fifo.c +++ b/src/input/input_stdin_fifo.c @@ -85,6 +85,8 @@ static off_t stdin_plugin_read (input_plugin_t *this_gen,    off_t n, total;    lprintf ("reading %"PRId64" bytes...\n", len); +  if (len < 0) +    return -1;    total=0;    if (this->curpos < this->preview_size) { @@ -121,6 +123,11 @@ static buf_element_t *stdin_plugin_read_block (input_plugin_t *this_gen, fifo_bu    /* stdin_input_plugin_t  *this = (stdin_input_plugin_t *) this_gen; */    buf_element_t         *buf = fifo->buffer_pool_alloc (fifo); +  if (todo < 0 || todo > buf->size) { +    buf->free_buffer (buf); +    return NULL; +  } +    buf->content = buf->mem;    buf->type = BUF_DEMUX_BLOCK; @@ -146,7 +153,7 @@ static off_t stdin_plugin_seek (input_plugin_t *this_gen, off_t offset, int orig    if ((origin == SEEK_CUR) && (offset >= 0)) {      for (;((int)offset) - BUFSIZE > 0; offset -= BUFSIZE) { -      if( !this_gen->read (this_gen, this->seek_buf, BUFSIZE) ) +      if( this_gen->read (this_gen, this->seek_buf, BUFSIZE) <= 0 )          return this->curpos;      } @@ -168,7 +175,7 @@ static off_t stdin_plugin_seek (input_plugin_t *this_gen, off_t offset, int orig        offset -= this->curpos;        for (;((int)offset) - BUFSIZE > 0; offset -= BUFSIZE) { -        if( !this_gen->read (this_gen, this->seek_buf, BUFSIZE) ) +        if( this_gen->read (this_gen, this->seek_buf, BUFSIZE) <= 0 )            return this->curpos;        } @@ -270,6 +277,8 @@ static int stdin_plugin_open (input_plugin_t *this_gen ) {    this->preview_size = stdin_plugin_read (&this->input_plugin, this->preview,  					  MAX_PREVIEW_SIZE); +  if (this->preview_size < 0) +    this->preview_size = 0;    this->curpos          = 0;    return 1; | 
