diff options
| author | Matthias Hopf <mhopf@suse.de> | 2009-01-04 17:21:46 +0000 |
|---|---|---|
| committer | Matthias Hopf <mhopf@suse.de> | 2009-01-04 17:21:46 +0000 |
| commit | ba5f2ab8d7209f3971ecf22ea3bc5ee43a692b5c (patch) | |
| tree | a79d6e7a0b55fd40bdb0942909f45f036f03f2df | |
| parent | 0c51806592bae19fbc4f1f6615e5b3f4cb8e7dc3 (diff) | |
| download | xine-lib-ba5f2ab8d7209f3971ecf22ea3bc5ee43a692b5c.tar.gz xine-lib-ba5f2ab8d7209f3971ecf22ea3bc5ee43a692b5c.tar.bz2 | |
Fix for CVE-2008-5240
xine-lib 1.1.12, and other 1.1.15 and earlier versions, relies on an
untrusted input value to determine the memory allocation and does not
check the result for (1) the MATROSKA_ID_TR_CODECPRIVATE track entry
element processed by demux_matroska.c; and (2) PROP_TAG, (3) MDPR_TAG,
and (4) CONT_TAG chunks processed by the real_parse_headers function
in demux_real.c; which allows remote attackers to cause a denial of
service (NULL pointer dereference and crash) or possibly execute
arbitrary code via a crafted value.
| -rw-r--r-- | src/demuxers/demux_real.c | 7 |
1 files changed, 6 insertions, 1 deletions
diff --git a/src/demuxers/demux_real.c b/src/demuxers/demux_real.c index 965470125..efb39b75f 100644 --- a/src/demuxers/demux_real.c +++ b/src/demuxers/demux_real.c @@ -435,9 +435,14 @@ static void real_parse_headers (demux_real_t *this) { case MDPR_TAG: case CONT_TAG: { + if (chunk_size < PREAMBLE_SIZE+1) { + this->status = DEMUX_FINISHED; + return; + } chunk_size -= PREAMBLE_SIZE; uint8_t *const chunk_buffer = malloc(chunk_size); - if (this->input->read(this->input, chunk_buffer, chunk_size) != + if (! chunk_buffer || + this->input->read(this->input, chunk_buffer, chunk_size) != chunk_size) { free (chunk_buffer); this->status = DEMUX_FINISHED; |