Fix a possible integer overflow in the 4XM demuxer. (TKADV2009-004.txt)

2 files changed, 5 insertions, 0 deletions

diff --git a/ChangeLog b/ChangeLog
index ebff0e5de..bdfaf1d23 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -8,6 +8,7 @@ xine-lib (1.1.17) 2009-??-??
   * Fix broken size checks in various input plugins (ref. CVE-2008-5239).
   * More malloc checking (ref. CVE-2008-5240).
   * Fix race conditions in gapless_switch (ref. kde bug #180339)
+  * Fix a possible integer overflow in the 4XM demuxer. (TKADV2009-004.txt)
 
 xine-lib (1.1.16.1) 2009-01-11
   * Fix build with older ffmpeg, both internal and in Debian 5.0.
diff --git a/src/demuxers/demux_4xm.c b/src/demuxers/demux_4xm.c
index a02a4b597..015ed8b2f 100644
--- a/src/demuxers/demux_4xm.c
+++ b/src/demuxers/demux_4xm.c
@@ -192,6 +192,10 @@ static int open_fourxm_file(demux_fourxm_t *fourxm) {
       const uint32_t current_track = _X_LE_32(&header[i + 8]);
       if (current_track + 1 > fourxm->track_count) {
         fourxm->track_count = current_track + 1;
+        if (fourxm->track_count >= UINT_MAX / sizeof(audio_track_t)) {
+          free(header);
+          return 0;
+        }
         fourxm->tracks = realloc(fourxm->tracks,
           fourxm->track_count * sizeof(audio_track_t));
         if (!fourxm->tracks) {