Fix for CVE-2008-5237

Multiple integer overflows in xine-lib 1.1.12, and other 1.1.15 and earlier versions, allow remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via (1) crafted width and height values that are not validated by the mymng_process_header function in demux_mng.c before use in an allocation calculation or (2) crafted current_atom_size and string_size values processed by the parse_reference_atom function in demux_qt.c.
author: Matthias Hopf <mhopf@suse.de> 2009-01-04 17:21:46 +0000
committer: Matthias Hopf <mhopf@suse.de> 2009-01-04 17:21:46 +0000
commit: 49d4eec32b8c05eadfaf9c42b3dcd7407815fd9a (patch)
tree: 29c869a4bed2658fa30664ae6309ad2f63a9d5dd /src/demuxers/demux_mng.c
parent: b108d0826de0fc395a0d3eb2e5612a20df6cf334 (diff)
download: xine-lib-49d4eec32b8c05eadfaf9c42b3dcd7407815fd9a.tar.gz
xine-lib-49d4eec32b8c05eadfaf9c42b3dcd7407815fd9a.tar.bz2
1 files changed, 3 insertions, 0 deletions
diff --git a/src/demuxers/demux_mng.c b/src/demuxers/demux_mng.c
index 0fcdb24ff..b57a349c5 100644
--- a/src/demuxers/demux_mng.c
+++ b/src/demuxers/demux_mng.c
@@ -112,6 +112,9 @@ static mng_bool mymng_read_stream(mng_handle mngh, mng_ptr buffer, mng_uint32 si
 static mng_bool mymng_process_header(mng_handle mngh, mng_uint32 width, mng_uint32 height){
   demux_mng_t *this = (demux_mng_t*)mng_get_userdata(mngh);
 
+  if (width > 0x8000 || height > 0x8000)
+      return MNG_FALSE;
+
   this->bih.biWidth = (width + 7) & ~7;
   this->bih.biHeight = height;
   this->left_edge = (this->bih.biWidth - width) / 2;
author	Matthias Hopf <mhopf@suse.de>	2009-01-04 17:21:46 +0000
committer	Matthias Hopf <mhopf@suse.de>	2009-01-04 17:21:46 +0000
commit	49d4eec32b8c05eadfaf9c42b3dcd7407815fd9a (patch)
tree	29c869a4bed2658fa30664ae6309ad2f63a9d5dd /src/demuxers/demux_mng.c
parent	b108d0826de0fc395a0d3eb2e5612a20df6cf334 (diff)
download	xine-lib-49d4eec32b8c05eadfaf9c42b3dcd7407815fd9a.tar.gz xine-lib-49d4eec32b8c05eadfaf9c42b3dcd7407815fd9a.tar.bz2