* Security fixes:

    - Fix heap overflow in DMO loader. (CVE-2007-1246) [bug #1676925]
      Thanks to Kees Cook for reporting.

CVS patchset: 8656
CVS date: 2007/03/10 00:41:34

3 files changed, 5 insertions, 0 deletions

diff --git a/ChangeLog b/ChangeLog
index 46539b699..7179887b0 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,4 +1,7 @@
 xine-lib (1.1.5) (Unreleased)
+  * Security fixes:
+    - Fix heap overflow in DMO loader. (CVE-2007-1246) [bug #1676925]
+      Thanks to Kees Cook for reporting.
   * Improved PulseAudio plugin, now only one connection per instance is opened
     and the mainloop is threaded to reduce latency during playback.
   * Added XCB-based output plugins (Xv and XShm), to use in software using
diff --git a/src/libw32dll/DirectShow/DS_VideoDecoder.c b/src/libw32dll/DirectShow/DS_VideoDecoder.c
index e34659f91..44c6d26d7 100644
--- a/src/libw32dll/DirectShow/DS_VideoDecoder.c
+++ b/src/libw32dll/DirectShow/DS_VideoDecoder.c
@@ -110,6 +110,7 @@ DS_VideoDecoder * DS_VideoDecoder_Open(char* dllname, GUID* guid, BITMAPINFOHEAD
      
         this->iv.m_bh = (BITMAPINFOHEADER*)malloc(bihs);
         memcpy(this->iv.m_bh, format, bihs);
+        this->iv.m_bh->biSize = bihs;
 
         this->iv.m_State = STOP;
         //this->iv.m_pFrame = 0;
diff --git a/src/libw32dll/dmo/DMO_VideoDecoder.c b/src/libw32dll/dmo/DMO_VideoDecoder.c
index 564c26ec8..3ad85645a 100644
--- a/src/libw32dll/dmo/DMO_VideoDecoder.c
+++ b/src/libw32dll/dmo/DMO_VideoDecoder.c
@@ -118,6 +118,7 @@ DMO_VideoDecoder * DMO_VideoDecoder_Open(char* dllname, GUID* guid, BITMAPINFOHE
      
         this->iv.m_bh = (BITMAPINFOHEADER*)malloc(bihs);
         memcpy(this->iv.m_bh, format, bihs);
+        this->iv.m_bh->biSize = bihs;
 
         this->iv.m_State = STOP;
         //this->iv.m_pFrame = 0;