Two potential integer overflows in cdda_server

There are two potential integer overflow bugs in process_commands().
process_commands() reads some tainted data from socket to "cmd", but doesn't
check cmd rightly.

--HG--
extra : transplant_source : z%12%ABF%D9%EF%92%A1M%B2%FCx%82%26%82%EEaM%2A%C1

1 files changed, 11 insertions, 0 deletions

diff --git a/misc/cdda_server.c b/misc/cdda_server.c
index 553ec0a8a..0e2817db3 100644
--- a/misc/cdda_server.c
+++ b/misc/cdda_server.c
@@ -480,6 +480,12 @@ static int process_commands( int socket )
 
         sscanf(cmd,"%*s %d %d", &start_frame, &num_frames);
 
+        if (num_frames > INT_MAX / CD_RAW_FRAME_SIZE)
+        {
+          printf ("fatal error: integer overflow\n");
+          exit (1);
+        }
+
         n = num_frames * CD_RAW_FRAME_SIZE;
         buf = malloc( n );
         if( !buf )
@@ -556,6 +562,11 @@ static int process_commands( int socket )
         char *buf;
 
         sscanf(cmd,"%*s %d %d", &blocks, &flags);
+        if (blocks > INT_MAX / DVD_BLOCK_SIZE)
+        {
+          printf ("fatal error: integer overflow\n");
+          exit (1);
+        }
 
         n = blocks * DVD_BLOCK_SIZE;
         buf = malloc( n );