diff options
| author | Diego 'Flameeyes' Pettenò <flameeyes@gmail.com> | 2008-04-14 22:38:03 +0200 |
|---|---|---|
| committer | Diego 'Flameeyes' Pettenò <flameeyes@gmail.com> | 2008-04-14 22:38:03 +0200 |
| commit | 035a78427ad774878e168f35e515d5d7417501fd (patch) | |
| tree | 88ccf0d066e5122cf050708ecdca313a06bc8fff | |
| parent | a13815e68127caa42c0f1040506755ba18f83f4c (diff) | |
| download | xine-lib-035a78427ad774878e168f35e515d5d7417501fd.tar.gz xine-lib-035a78427ad774878e168f35e515d5d7417501fd.tar.bz2 | |
Add boundary check on speex mode, see bug #83.xine-lib-1_1_12-release1.1.12
--HG--
extra : transplant_source : %80%19%15%EAL%B3%1EAl%11RF%E7%BB%7FHa%2A%C5%1A
| -rw-r--r-- | ChangeLog | 2 | ||||
| -rw-r--r-- | src/libxineadec/xine_speex_decoder.c | 9 |
2 files changed, 9 insertions, 2 deletions
@@ -1,4 +1,6 @@ xine-lib (1.1.12) 2008-??-?? + * Security fixes: + - Insufficient boundary check in speex audio decoder. (CVE-2008-1686) * Fixed and improved the PulseAudio driver. * Fixed a regression in 1.1.11.1 which broke Quicktime container handling. * And another, this time in the Matroska demuxer. diff --git a/src/libxineadec/xine_speex_decoder.c b/src/libxineadec/xine_speex_decoder.c index aa8234385..2804b1308 100644 --- a/src/libxineadec/xine_speex_decoder.c +++ b/src/libxineadec/xine_speex_decoder.c @@ -204,7 +204,7 @@ static void speex_decode_data (audio_decoder_t *this_gen, buf_element_t *buf) { if (!this->st) { SpeexMode * spx_mode; SpeexHeader * spx_header; - int modeID; + unsigned int modeID; int bitrate; speex_bits_init (&this->bits); @@ -216,7 +216,12 @@ static void speex_decode_data (audio_decoder_t *this_gen, buf_element_t *buf) { return; } - modeID = spx_header->mode; + modeID = (unsigned int)spx_header->mode; + if (modeID >= SPEEX_NB_MODES) { + xprintf(this->stream->xine, XINE_VERBOSITY_DEBUG, LOG_MODULE ": invalid mode ID %u\n", modeID); + return; + } + spx_mode = (SpeexMode *) speex_mode_list[modeID]; if (spx_mode->bitstream_version != spx_header->mode_bitstream_version) { |