diff options
| author | Michael Roitzsch <mroi@users.sourceforge.net> | 2004-12-15 21:03:02 +0000 |
|---|---|---|
| committer | Michael Roitzsch <mroi@users.sourceforge.net> | 2004-12-15 21:03:02 +0000 |
| commit | c9450dc0b04d03c85fc7183562d7a66c538f9df8 (patch) | |
| tree | 600d6f26cbab6922302cfadc96dea8c70eaf2e21 | |
| parent | 329c06d02c919129ad4d3797d14c2566fce7aff5 (diff) | |
| download | xine-lib-c9450dc0b04d03c85fc7183562d7a66c538f9df8.tar.gz xine-lib-c9450dc0b04d03c85fc7183562d7a66c538f9df8.tar.bz2 | |
check for the chunk size the file tells us before blindly overflowing
the buffer; this was remotely exploitable, thanks to Ariel Berkman for
catching this and D. J. Bernstein for reporting it
CVS patchset: 7261
CVS date: 2004/12/15 21:03:02
| -rw-r--r-- | src/demuxers/demux_aiff.c | 8 |
1 files changed, 7 insertions, 1 deletions
diff --git a/src/demuxers/demux_aiff.c b/src/demuxers/demux_aiff.c index 3589cadd0..253827454 100644 --- a/src/demuxers/demux_aiff.c +++ b/src/demuxers/demux_aiff.c @@ -21,7 +21,7 @@ /* * AIFF File Demuxer by Mike Melanson (melanson@pcisys.net) * - * $Id: demux_aiff.c,v 1.39 2004/06/13 21:28:52 miguelfreitas Exp $ + * $Id: demux_aiff.c,v 1.40 2004/12/15 21:03:02 mroi Exp $ * */ @@ -120,6 +120,12 @@ static int open_aiff_file(demux_aiff_t *this) { } chunk_type = BE_32(&preamble[0]); chunk_size = BE_32(&preamble[4]); + + if (chunk_size > sizeof(buffer) / sizeof(buffer[0])) { + /* the chunk is too large to fit in the buffer -> this cannot be an aiff chunk */ + this->status = DEMUX_FINISHED; + return 0; + } if (chunk_type == COMM_TAG) { if (this->input->read(this->input, buffer, chunk_size) != |