diff options
| author | Darren Salt <linux@youmustbejoking.demon.co.uk> | 2009-01-05 15:26:46 +0000 |
|---|---|---|
| committer | Darren Salt <linux@youmustbejoking.demon.co.uk> | 2009-01-05 15:26:46 +0000 |
| commit | 92d532f070f578c4f7f0df3daadf05497be1ed10 (patch) | |
| tree | ac523e28256047f66a53b35b09f540c55b2bfa7b | |
| parent | ad91982481c386e7df642866f8fd8f029b325edf (diff) | |
| download | xine-lib-92d532f070f578c4f7f0df3daadf05497be1ed10.tar.gz xine-lib-92d532f070f578c4f7f0df3daadf05497be1ed10.tar.bz2 | |
Fix for CVE-2008-5234(1).
| -rw-r--r-- | src/demuxers/demux_qt.c | 12 |
1 files changed, 9 insertions, 3 deletions
diff --git a/src/demuxers/demux_qt.c b/src/demuxers/demux_qt.c index b5ca5c59e..5a9b0d88b 100644 --- a/src/demuxers/demux_qt.c +++ b/src/demuxers/demux_qt.c @@ -730,12 +730,18 @@ static int is_qt_file(input_plugin_t *qt_file) { } } -static char *parse_data_atom(const uint8_t *data_atom) { - const uint32_t data_atom_size = _X_BE_32(&data_atom[0]); +static char *parse_data_atom(const uint8_t *data_atom, uint32_t max_size) { + uint32_t data_atom_size = _X_BE_32(&data_atom[0]); static const int data_atom_max_version = 0; const int data_atom_version = data_atom[8]; + if (data_atom_size < 8) + return NULL; /* too small */ + + if (data_atom_size > max_size) + data_atom_size = max_size; + const size_t alloc_size = data_atom_size - 8 + 1; char *alloc_str = NULL; @@ -803,7 +809,7 @@ static void parse_meta_atom(qt_info *info, unsigned char *meta_atom) { const uint8_t *const sub_atom = &meta_atom[j]; const qt_atom sub_atom_code = _X_BE_32(&sub_atom[4]); const uint32_t sub_atom_size = _X_BE_32(&sub_atom[0]); - char *const data_atom = parse_data_atom(&sub_atom[8]); + char *const data_atom = parse_data_atom(&sub_atom[8], current_atom_size - j); switch(sub_atom_code) { case ART_ATOM: |