Fix for CVE-2008-5239

xine-lib 1.1.12, and other 1.1.15 and earlier versions, does not properly handle (a) negative and (b) zero values during unspecified read function calls in input_file.c, input_net.c, input_smb.c, and input_http.c, which allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via vectors such as (1) a file or (2) an HTTP response, which triggers consequences such as out-of-bounds reads and heap-based buffer overflows.
author: Matthias Hopf <mhopf@suse.de> 2009-01-04 17:21:46 +0000
committer: Matthias Hopf <mhopf@suse.de> 2009-01-04 17:21:46 +0000
commit: 0c51806592bae19fbc4f1f6615e5b3f4cb8e7dc3 (patch)
tree: edc869e912cdf626c2faf9656bd29a4641bba3a0 /src/input/input_dvb.c
parent: 49d4eec32b8c05eadfaf9c42b3dcd7407815fd9a (diff)
download: xine-lib-0c51806592bae19fbc4f1f6615e5b3f4cb8e7dc3.tar.gz
xine-lib-0c51806592bae19fbc4f1f6615e5b3f4cb8e7dc3.tar.bz2
1 files changed, 4 insertions, 0 deletions
diff --git a/src/input/input_dvb.c b/src/input/input_dvb.c
index 19b479a06..29a38bbf1 100644
--- a/src/input/input_dvb.c
+++ b/src/input/input_dvb.c
@@ -2602,6 +2602,10 @@ static buf_element_t *dvb_plugin_read_block (input_plugin_t *this_gen,
   buf_element_t        *buf = fifo->buffer_pool_alloc (fifo);
   int                   total_bytes;
 
+  if (todo < 0 || todo > buf->size) {
+    buf->free_buffer (buf);
+    return NULL;
+  }
 
   buf->content = buf->mem;
   buf->type    = BUF_DEMUX_BLOCK;
author	Matthias Hopf <mhopf@suse.de>	2009-01-04 17:21:46 +0000
committer	Matthias Hopf <mhopf@suse.de>	2009-01-04 17:21:46 +0000
commit	0c51806592bae19fbc4f1f6615e5b3f4cb8e7dc3 (patch)
tree	edc869e912cdf626c2faf9656bd29a4641bba3a0 /src/input/input_dvb.c
parent	49d4eec32b8c05eadfaf9c42b3dcd7407815fd9a (diff)
download	xine-lib-0c51806592bae19fbc4f1f6615e5b3f4cb8e7dc3.tar.gz xine-lib-0c51806592bae19fbc4f1f6615e5b3f4cb8e7dc3.tar.bz2