Fix a broken size check in the pvr input plugin (ref. CVE-2008-5239).

2 files changed, 7 insertions, 4 deletions

diff --git a/ChangeLog b/ChangeLog
index f5ec9da94..3ed085f08 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -2,6 +2,7 @@ xine-lib (1.1.17) 2009-??-??
   * Build fixes related to ImageMagick 6.4 & later.
   * Enable libmpeg2new. This is not yet production code; the old mpeg2
     decoder remains the default.
+  * Fix a broken size check in the pvr input plugin (ref. CVE-2008-5239).
 
 xine-lib (1.1.16.1) 2009-01-11
   * Fix build with older ffmpeg, both internal and in Debian 5.0.
diff --git a/src/input/input_pvr.c b/src/input/input_pvr.c
index 18d29f6be..5238fccbc 100644
--- a/src/input/input_pvr.c
+++ b/src/input/input_pvr.c
@@ -1202,14 +1202,17 @@ static buf_element_t *pvr_plugin_read_block (input_plugin_t *this_gen, fifo_buff
   buf_element_t        *buf;
   int                   speed = _x_get_speed(this->stream);
 
-  if (todo < 0 || todo > buf->size)
-    return NULL;
-
   if( !this->pvr_running ) {
     xprintf(this->stream->xine, XINE_VERBOSITY_DEBUG, "input_pvr: thread died, aborting\n");
     return NULL;  
   }
 
+  buf = fifo->buffer_pool_alloc (fifo);
+  if (todo < 0 || todo > buf->size) {
+    buf->free_buffer(buf);
+    return NULL;
+  }
+
   if( this->scr_tunning == -2 )
     speed = this->speed_before_pause;
 
@@ -1233,7 +1236,6 @@ static buf_element_t *pvr_plugin_read_block (input_plugin_t *this_gen, fifo_buff
 
   pvr_event_handler(this);
   
-  buf = fifo->buffer_pool_alloc (fifo);
   buf->content = buf->mem;
     
   pthread_mutex_lock(&this->lock);