diff options
| author | Darren Salt <linux@youmustbejoking.demon.co.uk> | 2009-01-18 16:36:31 +0000 |
|---|---|---|
| committer | Darren Salt <linux@youmustbejoking.demon.co.uk> | 2009-01-18 16:36:31 +0000 |
| commit | c62b455944c8c91bd4d9ae5e8000ec33190174c5 (patch) | |
| tree | 3578282592cd5a84e330fd4c41a3c6afa7d50d17 | |
| parent | d797ae8a0d0e011515b37e76cbc0c0b869714ea3 (diff) | |
| parent | f4b5e62eb102b684ea206112d09cfcbc05e1e91e (diff) | |
| download | xine-lib-c62b455944c8c91bd4d9ae5e8000ec33190174c5.tar.gz xine-lib-c62b455944c8c91bd4d9ae5e8000ec33190174c5.tar.bz2 | |
Merge from 1.1.
| -rw-r--r-- | .hgignore | 8 | ||||
| -rw-r--r-- | ChangeLog | 1 | ||||
| -rw-r--r-- | src/demuxers/demux_real.c | 34 | ||||
| -rw-r--r-- | src/input/libreal/rmff.c | 27 |
4 files changed, 64 insertions, 6 deletions
@@ -102,6 +102,7 @@ m4/ltsugar.m4 m4/ltversion.m4 m4/lt~obsolete.m4 +misc/Makefile.plugins misc/SlackBuild misc/build_rpms.sh misc/libxine.pc @@ -119,4 +120,11 @@ po/stamp-po po/insert-header.sed po/remove-potcdate.sed +src/combined/ffmpeg/avcodec_*.list +src/combined/ffmpeg/ff_*_list.h +src/libffmpeg/ffmpeg_config.h +src/video_out/libdha/pci_dev_ids.c +src/video_out/libdha/pci_ids.h +src/video_out/libdha/pci_names.[ch] +src/video_out/libdha/pci_vendors.h src/xine-utils/xmltest @@ -74,6 +74,7 @@ xine-lib (1.1.17) 2009-??-?? * Enable libmpeg2new. This is not yet production code; the old mpeg2 decoder remains the default. * Fix a broken size check in the pvr input plugin (ref. CVE-2008-5239). + * More malloc checking (ref. CVE-2008-5240). xine-lib (1.1.16.1) 2009-01-11 * Fix build with older ffmpeg, both internal and in Debian 5.0. diff --git a/src/demuxers/demux_real.c b/src/demuxers/demux_real.c index 376eb63b2..d416ebeca 100644 --- a/src/demuxers/demux_real.c +++ b/src/demuxers/demux_real.c @@ -265,8 +265,12 @@ static void real_parse_index(demux_real_t *this) { this->input->seek(this->input, original_pos, SEEK_SET); } -static mdpr_t *real_parse_mdpr(const char *data) { - mdpr_t *mdpr=malloc(sizeof(mdpr_t)); +static mdpr_t *real_parse_mdpr(const char *data, const unsigned int size) +{ + if (size < 38) + return NULL; + + mdpr_t *mdpr=calloc(sizeof(mdpr_t), 1); mdpr->stream_number=_X_BE_16(&data[2]); mdpr->max_bit_rate=_X_BE_32(&data[4]); @@ -278,13 +282,25 @@ static mdpr_t *real_parse_mdpr(const char *data) { mdpr->duration=_X_BE_32(&data[28]); mdpr->stream_name_size=data[32]; + if (size < 38 + mdpr->stream_name_size) + goto fail; mdpr->stream_name=xine_memdup0(&data[33], mdpr->stream_name_size); + if (!mdpr->stream_name) + goto fail; mdpr->mime_type_size=data[33+mdpr->stream_name_size]; + if (size < 38 + mdpr->stream_name_size + mdpr->mime_type_size) + goto fail; mdpr->mime_type=xine_memdup0(&data[34+mdpr->stream_name_size], mdpr->mime_type_size); + if (!mdpr->mime_type) + goto fail; mdpr->type_specific_len=_X_BE_32(&data[34+mdpr->stream_name_size+mdpr->mime_type_size]); + if (size < 38 + mdpr->stream_name_size + mdpr->mime_type_size + mdpr->type_specific_data) + goto fail; mdpr->type_specific_data=xine_memdup(&data[38+mdpr->stream_name_size+mdpr->mime_type_size], mdpr->type_specific_len); + if (!mdpr->type_specific_data) + goto fail; lprintf("MDPR: stream number: %i\n", mdpr->stream_number); lprintf("MDPR: maximal bit rate: %i\n", mdpr->max_bit_rate); @@ -302,6 +318,13 @@ static mdpr_t *real_parse_mdpr(const char *data) { #endif return mdpr; + +fail: + free (mdpr->stream_name); + free (mdpr->mime_type); + free (mdpr->type_specific_data); + free (mdpr); + return NULL; } static void real_free_mdpr (mdpr_t *mdpr) { @@ -485,9 +508,14 @@ static void real_parse_headers (demux_real_t *this) { continue; } - mdpr_t *const mdpr = real_parse_mdpr (chunk_buffer); + mdpr_t *const mdpr = real_parse_mdpr (chunk_buffer, chunk_size); lprintf ("parsing type specific data...\n"); + if (!mdpr) { + free (chunk_buffer); + this->status = DEMUX_FINISHED; + return; + } if(!strcmp(mdpr->mime_type, "audio/X-MP3-draft-00")) { lprintf ("mpeg layer 3 audio detected...\n"); diff --git a/src/input/libreal/rmff.c b/src/input/libreal/rmff.c index 8142246b6..d4b6ad2e1 100644 --- a/src/input/libreal/rmff.c +++ b/src/input/libreal/rmff.c @@ -334,12 +334,14 @@ static rmff_prop_t *rmff_scan_prop(const char *data) { return prop; } -static rmff_mdpr_t *rmff_scan_mdpr(const char *data) { - - rmff_mdpr_t *mdpr = malloc(sizeof(rmff_mdpr_t)); +static rmff_mdpr_t *rmff_scan_mdpr(const char *data) +{ + rmff_mdpr_t *mdpr = calloc(sizeof(rmff_mdpr_t), 1); mdpr->object_id=_X_BE_32(data); mdpr->size=_X_BE_32(&data[4]); + if (mdpr->size < 46) + goto fail; mdpr->object_version=_X_BE_16(&data[8]); if (mdpr->object_version != 0) { @@ -355,15 +357,34 @@ static rmff_mdpr_t *rmff_scan_mdpr(const char *data) { mdpr->duration=_X_BE_32(&data[36]); mdpr->stream_name_size=data[40]; + if (mdpr->size < 46 + mdpr->stream_name_size) + goto fail; mdpr->stream_name = xine_memdup0(&data[41], mdpr->stream_name_size); + if (!mdpr->stream_name) + goto fail; mdpr->mime_type_size=data[41+mdpr->stream_name_size]; + if (mdpr->size < 46 + mdpr->stream_name_size + mdpr->mime_type_size) + goto fail; mdpr->mime_type = xine_memdup0(&data[42+mdpr->stream_name_size], mdpr->mime_type_size); + if (!mdpr->mime_type) + goto fail; mdpr->type_specific_len=_X_BE_32(&data[42+mdpr->stream_name_size+mdpr->mime_type_size]); + if (mdpr->size < 46 + mdpr->stream_name_size + mdpr->mime_type_size + mdpr->type_specific_data) + goto fail; mdpr->type_specific_data = xine_memdup(&data[46+mdpr->stream_name_size+mdpr->mime_type_size], mdpr->type_specific_len); + if (!mdpr->type_specific_data) + goto fail; return mdpr; + +fail: + free (mdpr->stream_name); + free (mdpr->mime_type); + free (mdpr->type_specific_data); + free (mdpr); + return NULL; } static rmff_cont_t *rmff_scan_cont(const char *data) { |