diff options
| author | Matthias Hopf <mhopf@suse.de> | 2009-01-04 17:21:46 +0000 |
|---|---|---|
| committer | Matthias Hopf <mhopf@suse.de> | 2009-01-04 17:21:46 +0000 |
| commit | 49d4eec32b8c05eadfaf9c42b3dcd7407815fd9a (patch) | |
| tree | 29c869a4bed2658fa30664ae6309ad2f63a9d5dd /src/demuxers/demux_qt.c | |
| parent | b108d0826de0fc395a0d3eb2e5612a20df6cf334 (diff) | |
| download | xine-lib-49d4eec32b8c05eadfaf9c42b3dcd7407815fd9a.tar.gz xine-lib-49d4eec32b8c05eadfaf9c42b3dcd7407815fd9a.tar.bz2 | |
Fix for CVE-2008-5237
Multiple integer overflows in xine-lib 1.1.12, and other 1.1.15 and
earlier versions, allow remote attackers to cause a denial of service
(crash) or possibly execute arbitrary code via (1) crafted width and
height values that are not validated by the mymng_process_header
function in demux_mng.c before use in an allocation calculation or (2)
crafted current_atom_size and string_size values processed by the
parse_reference_atom function in demux_qt.c.
Diffstat (limited to 'src/demuxers/demux_qt.c')
| -rw-r--r-- | src/demuxers/demux_qt.c | 9 |
1 files changed, 7 insertions, 2 deletions
diff --git a/src/demuxers/demux_qt.c b/src/demuxers/demux_qt.c index 3d4161fbf..c569ef9a4 100644 --- a/src/demuxers/demux_qt.c +++ b/src/demuxers/demux_qt.c @@ -1597,13 +1597,16 @@ static qt_error parse_reference_atom (reference_t *ref, qt_atom current_atom; unsigned int current_atom_size; + if (ref_atom_size >= 0x80000000) + return QT_NOT_A_VALID_FILE; + /* initialize reference atom */ ref->url = NULL; ref->data_rate = 0; ref->qtim_version = 0; /* traverse through the atom looking for the key atoms */ - for (i = ATOM_PREAMBLE_SIZE; i < ref_atom_size - 4; i++) { + for (i = ATOM_PREAMBLE_SIZE; i + 4 < ref_atom_size; i++) { current_atom_size = _X_BE_32(&ref_atom[i - 4]); current_atom = _X_BE_32(&ref_atom[i]); @@ -1612,7 +1615,7 @@ static qt_error parse_reference_atom (reference_t *ref, size_t string_size = _X_BE_32(&ref_atom[i + 12]); size_t url_offset = 0; - if (string_size >= current_atom_size || i + string_size >= ref_atom_size) + if (string_size >= current_atom_size || string_size >= ref_atom_size - i) return QT_NOT_A_VALID_FILE; /* if the URL starts with "http://", copy it */ @@ -1620,6 +1623,8 @@ static qt_error parse_reference_atom (reference_t *ref, memcmp(&ref_atom[i + 16], "rtsp://", 7) && base_mrl ) url_offset = strlen(base_mrl); + if (url_offset >= 0x80000000) + return QT_NOT_A_VALID_FILE; /* otherwise, append relative URL to base MRL */ string_size += url_offset; |