Fix broken size checks in various input plugins (ref. CVE-2008-5239).

author: Darren Salt <linux@youmustbejoking.demon.co.uk> 2009-02-10 17:17:50 +0000
committer: Darren Salt <linux@youmustbejoking.demon.co.uk> 2009-02-10 17:17:50 +0000
commit: a0b9021d54dc9890da5f0c9bd26361db4556f6c2 (patch)
tree: 980f00f5a31e15e5ef3eeb400d5883b6b1d2643b
parent: 2afab9c8441685d1ec8f6ef5c9f8c4a163533dfa (diff)
download: xine-lib-a0b9021d54dc9890da5f0c9bd26361db4556f6c2.tar.gz
xine-lib-a0b9021d54dc9890da5f0c9bd26361db4556f6c2.tar.bz2
13 files changed, 37 insertions, 13 deletions
diff --git a/ChangeLog b/ChangeLog
index 33f153b25..ebff0e5de 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -5,7 +5,7 @@ xine-lib (1.1.17) 2009-??-??
     removing a break statement.
   * Enable libmpeg2new. This is not yet production code; the old mpeg2
     decoder remains the default.
-  * Fix a broken size check in the pvr input plugin (ref. CVE-2008-5239).
+  * Fix broken size checks in various input plugins (ref. CVE-2008-5239).
   * More malloc checking (ref. CVE-2008-5240).
   * Fix race conditions in gapless_switch (ref. kde bug #180339)
 
diff --git a/src/input/input_dvb.c b/src/input/input_dvb.c
index 9c592a067..5060757e4 100644
--- a/src/input/input_dvb.c
+++ b/src/input/input_dvb.c
@@ -2602,7 +2602,9 @@ static buf_element_t *dvb_plugin_read_block (input_plugin_t *this_gen,
   buf_element_t        *buf = fifo->buffer_pool_alloc (fifo);
   int                   total_bytes;
 
-  if (todo < 0 || todo > buf->size) {
+  if (todo > buf->max_size)
+    todo = buf->max_size;
+  if (todo < 0) {
     buf->free_buffer (buf);
     return NULL;
   }
diff --git a/src/input/input_file.c b/src/input/input_file.c
index 690913aa4..2187f0007 100644
--- a/src/input/input_file.c
+++ b/src/input/input_file.c
@@ -169,7 +169,9 @@ static buf_element_t *file_plugin_read_block (input_plugin_t *this_gen, fifo_buf
   file_input_plugin_t  *this = (file_input_plugin_t *) this_gen;
   buf_element_t        *buf = fifo->buffer_pool_alloc (fifo);
 
-  if (todo < 0 || todo > buf->size) {
+  if (todo > buf->max_size)
+    todo = buf->max_size;
+  if (todo < 0) {
     buf->free_buffer (buf);
     return NULL;
   }
diff --git a/src/input/input_gnome_vfs.c b/src/input/input_gnome_vfs.c
index ec025f7b5..a3dfafdd5 100644
--- a/src/input/input_gnome_vfs.c
+++ b/src/input/input_gnome_vfs.c
@@ -121,7 +121,9 @@ gnomevfs_plugin_read_block (input_plugin_t *this_gen, fifo_buffer_t *fifo,
 	off_t total_bytes;
 	buf_element_t *buf = fifo->buffer_pool_alloc (fifo);
 
-	if (todo < 0 || todo > buf->size) {
+	if (todo > buf->max_size)
+	  todo = buf->max_size;
+	if (todo < 0) {
 		buf->free_buffer (buf);
 		return NULL;
 	}
diff --git a/src/input/input_http.c b/src/input/input_http.c
index 3cb745656..c831dfc59 100644
--- a/src/input/input_http.c
+++ b/src/input/input_http.c
@@ -506,7 +506,9 @@ static buf_element_t *http_plugin_read_block (input_plugin_t *this_gen, fifo_buf
   off_t                 total_bytes;
   buf_element_t        *buf = fifo->buffer_pool_alloc (fifo);
 
-  if (todo < 0 || todo > buf->size) {
+  if (todo > buf->max_size)
+    todo = buf->max_size;
+  if (todo < 0) {
     buf->free_buffer (buf);
     return NULL;
   }
diff --git a/src/input/input_mms.c b/src/input/input_mms.c
index d5cc0a2ac..cd88a0609 100644
--- a/src/input/input_mms.c
+++ b/src/input/input_mms.c
@@ -122,7 +122,9 @@ static buf_element_t *mms_plugin_read_block (input_plugin_t *this_gen,
 
   lprintf ("mms_plugin_read_block: %"PRId64" bytes...\n", todo);
 
-  if (todo < 0 || todo > buf->size) {
+  if (todo > buf->max_size)
+    todo = buf->max_size;
+  if (todo < 0) {
     buf->free_buffer (buf);
     return NULL;
   }
diff --git a/src/input/input_net.c b/src/input/input_net.c
index 719203ff9..d9da27b54 100644
--- a/src/input/input_net.c
+++ b/src/input/input_net.c
@@ -291,7 +291,9 @@ static buf_element_t *net_plugin_read_block (input_plugin_t *this_gen,
   buf_element_t        *buf = fifo->buffer_pool_alloc (fifo);
   off_t                 total_bytes;
 
-  if (todo < 0 || todo > buf->size) {
+  if (todo > buf->max_size)
+    todo = buf->max_size;
+  if (todo < 0) {
     buf->free_buffer (buf);
     return NULL;
   }
diff --git a/src/input/input_pnm.c b/src/input/input_pnm.c
index af2b8add2..f609695d5 100644
--- a/src/input/input_pnm.c
+++ b/src/input/input_pnm.c
@@ -97,7 +97,9 @@ static buf_element_t *pnm_plugin_read_block (input_plugin_t *this_gen,
 
   lprintf ("pnm_plugin_read_block: %"PRId64" bytes...\n", todo);
 
-  if (todo < 0 || todo > buf->size) {
+  if (todo > buf->max_size)
+    todo = buf->max_size;
+  if (todo < 0) {
     buf->free_buffer (buf);
     return NULL;
   }
diff --git a/src/input/input_pvr.c b/src/input/input_pvr.c
index 5238fccbc..a9c92e42e 100644
--- a/src/input/input_pvr.c
+++ b/src/input/input_pvr.c
@@ -1208,7 +1208,9 @@ static buf_element_t *pvr_plugin_read_block (input_plugin_t *this_gen, fifo_buff
   }
 
   buf = fifo->buffer_pool_alloc (fifo);
-  if (todo < 0 || todo > buf->size) {
+  if (todo > buf->max_size)
+    todo = buf->max_size;
+  if (todo < 0) {
     buf->free_buffer(buf);
     return NULL;
   }
diff --git a/src/input/input_rtp.c b/src/input/input_rtp.c
index 8d07eb6cf..90bae6670 100644
--- a/src/input/input_rtp.c
+++ b/src/input/input_rtp.c
@@ -527,7 +527,9 @@ static buf_element_t *rtp_plugin_read_block (input_plugin_t *this_gen,
   buf_element_t        *buf = fifo->buffer_pool_alloc (fifo);
   int                   total_bytes;
 
-  if (todo < 0 || todo > buf->size) {
+  if (todo > buf->max_size)
+    todo = buf->max_size;
+  if (todo < 0) {
     buf->free_buffer (buf);
     return NULL;
   }
diff --git a/src/input/input_rtsp.c b/src/input/input_rtsp.c
index bfe8fdf85..fad395e0b 100644
--- a/src/input/input_rtsp.c
+++ b/src/input/input_rtsp.c
@@ -98,7 +98,9 @@ static buf_element_t *rtsp_plugin_read_block (input_plugin_t *this_gen,
 
   lprintf ("rtsp_plugin_read_block: %"PRId64" bytes...\n", todo);
 
-  if (todo < 0 || todo > buf->size) {
+  if (todo > buf->max_size)
+    todo = buf->max_size;
+  if (todo < 0) {
     buf->free_buffer (buf);
     return NULL;
   }
diff --git a/src/input/input_smb.c b/src/input/input_smb.c
index 4d7e9a94a..e49eaa889 100644
--- a/src/input/input_smb.c
+++ b/src/input/input_smb.c
@@ -91,7 +91,9 @@ smb_plugin_read_block (input_plugin_t *this_gen, fifo_buffer_t *fifo,
 	off_t total_bytes;
 	buf_element_t *buf = fifo->buffer_pool_alloc (fifo);
 
-	if (todo < 0 || todo > buf->size) {
+	if (todo > buf->max_size)
+	  todo = buf->max_size;
+	if (todo < 0) {
 		buf->free_buffer (buf);
 		return NULL;
 	}
diff --git a/src/input/input_stdin_fifo.c b/src/input/input_stdin_fifo.c
index 4acd825a5..64b8d748c 100644
--- a/src/input/input_stdin_fifo.c
+++ b/src/input/input_stdin_fifo.c
@@ -123,7 +123,9 @@ static buf_element_t *stdin_plugin_read_block (input_plugin_t *this_gen, fifo_bu
   /* stdin_input_plugin_t  *this = (stdin_input_plugin_t *) this_gen; */
   buf_element_t         *buf = fifo->buffer_pool_alloc (fifo);
 
-  if (todo < 0 || todo > buf->size) {
+  if (todo > buf->max_size)
+    todo = buf->max_size;
+  if (todo < 0) {
     buf->free_buffer (buf);
     return NULL;
   }
author	Darren Salt <linux@youmustbejoking.demon.co.uk>	2009-02-10 17:17:50 +0000
committer	Darren Salt <linux@youmustbejoking.demon.co.uk>	2009-02-10 17:17:50 +0000
commit	a0b9021d54dc9890da5f0c9bd26361db4556f6c2 (patch)
tree	980f00f5a31e15e5ef3eeb400d5883b6b1d2643b
parent	2afab9c8441685d1ec8f6ef5c9f8c4a163533dfa (diff)
download	xine-lib-a0b9021d54dc9890da5f0c9bd26361db4556f6c2.tar.gz xine-lib-a0b9021d54dc9890da5f0c9bd26361db4556f6c2.tar.bz2