Fix another possible 4xm demuxer integer overflow.

--HG--
extra : transplant_source : U%AF%FD%B5%60%27Y%7F%B5Q%F796%F7a%98%F0k%B8%EF

2 files changed, 7 insertions, 3 deletions

diff --git a/ChangeLog b/ChangeLog
index 5e7b0a6b5..49e48990f 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,4 +1,7 @@
 xine-lib (1.1.17) 2009-??-??
+  * Security fixes:
+    - Fix another possible int overflow in the 4XM demuxer.
+      (ref. TKADV2009-004, CVE-2009-0385)
   * Enable libmpeg2new (if configured with --enable-libmpeg2new).
     This is not yet production code; the old mpeg2 decoder remains the default.
   * Add support for OpenBSD.
@@ -18,7 +21,8 @@ xine-lib (1.1.16.2) 2009-02-10
   * Fix broken size checks in various input plugins (ref. CVE-2008-5239).
   * More malloc checking (ref. CVE-2008-5240).
   * Fix race conditions in gapless_switch (ref. kde bug #180339)
-  * Fix a possible integer overflow in the 4XM demuxer. (TKADV2009-004.txt)
+  * Fix a possible integer overflow in the 4XM demuxer.
+    (TKADV2009-004, CVE-2009-0385)
 
 xine-lib (1.1.16.1) 2009-01-11
   * Fix build with older ffmpeg, both internal and in Debian 5.0.
diff --git a/src/demuxers/demux_4xm.c b/src/demuxers/demux_4xm.c
index 015ed8b2f..397a271b8 100644
--- a/src/demuxers/demux_4xm.c
+++ b/src/demuxers/demux_4xm.c
@@ -190,9 +190,9 @@ static int open_fourxm_file(demux_fourxm_t *fourxm) {
         return 0;
       }
       const uint32_t current_track = _X_LE_32(&header[i + 8]);
-      if (current_track + 1 > fourxm->track_count) {
+      if (current_track >= fourxm->track_count) {
         fourxm->track_count = current_track + 1;
-        if (fourxm->track_count >= UINT_MAX / sizeof(audio_track_t)) {
+        if (!fourxm->track_count || fourxm->track_count >= UINT_MAX / sizeof(audio_track_t)) {
           free(header);
           return 0;
         }