diff options
| author | Tielei <wangtielei@icst.pku.edu.cn> | 2008-08-21 00:18:00 +0000 | 
|---|---|---|
| committer | Tielei <wangtielei@icst.pku.edu.cn> | 2008-08-21 00:18:00 +0000 | 
| commit | 613653ef0702ef2d0b6c95b0391631d2597b5464 (patch) | |
| tree | 119a8d4cebbc02a13b388f4f6ea27b19cc5a3190 /misc/cdda_server.c | |
| parent | e44f653d013abdad41e814250df65cb1fa96a290 (diff) | |
| download | xine-lib-613653ef0702ef2d0b6c95b0391631d2597b5464.tar.gz xine-lib-613653ef0702ef2d0b6c95b0391631d2597b5464.tar.bz2 | |
Two potential integer overflows in cdda_server
There are two potential integer overflow bugs in process_commands().
process_commands() reads some tainted data from socket to "cmd", but doesn't
check cmd rightly.
--HG--
extra : transplant_source : z%12%ABF%D9%EF%92%A1M%B2%FCx%82%26%82%EEaM%2A%C1
Diffstat (limited to 'misc/cdda_server.c')
| -rw-r--r-- | misc/cdda_server.c | 11 | 
1 files changed, 11 insertions, 0 deletions
| diff --git a/misc/cdda_server.c b/misc/cdda_server.c index 553ec0a8a..0e2817db3 100644 --- a/misc/cdda_server.c +++ b/misc/cdda_server.c @@ -480,6 +480,12 @@ static int process_commands( int socket )          sscanf(cmd,"%*s %d %d", &start_frame, &num_frames); +        if (num_frames > INT_MAX / CD_RAW_FRAME_SIZE) +        { +          printf ("fatal error: integer overflow\n"); +          exit (1); +        } +          n = num_frames * CD_RAW_FRAME_SIZE;          buf = malloc( n );          if( !buf ) @@ -556,6 +562,11 @@ static int process_commands( int socket )          char *buf;          sscanf(cmd,"%*s %d %d", &blocks, &flags); +        if (blocks > INT_MAX / DVD_BLOCK_SIZE) +        { +          printf ("fatal error: integer overflow\n"); +          exit (1); +        }          n = blocks * DVD_BLOCK_SIZE;          buf = malloc( n ); | 
