Merge security fixes.

author: Darren Salt <linux@youmustbejoking.demon.co.uk> 2009-01-05 14:50:58 +0000
committer: Darren Salt <linux@youmustbejoking.demon.co.uk> 2009-01-05 14:50:58 +0000
commit: 5347abe5764b0a0ff3ef1d357ce9934a425758fa (patch)
tree: 16114922f1fe3862535ef1898da393648522d48b /misc/cdda_server.c
parent: 0907a74b5fa7b8b439f1f8f5db239c7586bfb12d (diff)
parent: 8f725b5644ac910294fbe28929ddc98cd1d2ad38 (diff)
download: xine-lib-5347abe5764b0a0ff3ef1d357ce9934a425758fa.tar.gz
xine-lib-5347abe5764b0a0ff3ef1d357ce9934a425758fa.tar.bz2
1 files changed, 11 insertions, 0 deletions
diff --git a/misc/cdda_server.c b/misc/cdda_server.c
index 553ec0a8a..0e2817db3 100644
--- a/misc/cdda_server.c
+++ b/misc/cdda_server.c
@@ -480,6 +480,12 @@ static int process_commands( int socket )
 
         sscanf(cmd,"%*s %d %d", &start_frame, &num_frames);
 
+        if (num_frames > INT_MAX / CD_RAW_FRAME_SIZE)
+        {
+          printf ("fatal error: integer overflow\n");
+          exit (1);
+        }
+
         n = num_frames * CD_RAW_FRAME_SIZE;
         buf = malloc( n );
         if( !buf )
@@ -556,6 +562,11 @@ static int process_commands( int socket )
         char *buf;
 
         sscanf(cmd,"%*s %d %d", &blocks, &flags);
+        if (blocks > INT_MAX / DVD_BLOCK_SIZE)
+        {
+          printf ("fatal error: integer overflow\n");
+          exit (1);
+        }
 
         n = blocks * DVD_BLOCK_SIZE;
         buf = malloc( n );
author	Darren Salt <linux@youmustbejoking.demon.co.uk>	2009-01-05 14:50:58 +0000
committer	Darren Salt <linux@youmustbejoking.demon.co.uk>	2009-01-05 14:50:58 +0000
commit	5347abe5764b0a0ff3ef1d357ce9934a425758fa (patch)
tree	16114922f1fe3862535ef1898da393648522d48b /misc/cdda_server.c
parent	0907a74b5fa7b8b439f1f8f5db239c7586bfb12d (diff)
parent	8f725b5644ac910294fbe28929ddc98cd1d2ad38 (diff)
download	xine-lib-5347abe5764b0a0ff3ef1d357ce9934a425758fa.tar.gz xine-lib-5347abe5764b0a0ff3ef1d357ce9934a425758fa.tar.bz2