Fix for CVE-2008-5239

xine-lib 1.1.12, and other 1.1.15 and earlier versions, does not
properly handle (a) negative and (b) zero values during unspecified
read function calls in input_file.c, input_net.c, input_smb.c, and
input_http.c, which allows remote attackers to cause a denial of
service (crash) or possibly execute arbitrary code via vectors such as
(1) a file or (2) an HTTP response, which triggers consequences such
as out-of-bounds reads and heap-based buffer overflows.

1 files changed, 8 insertions, 0 deletions

diff --git a/src/input/input_file.c b/src/input/input_file.c
index 774f6b081..690913aa4 100644
--- a/src/input/input_file.c
+++ b/src/input/input_file.c
@@ -145,6 +145,9 @@ static int check_mmap_file(file_input_plugin_t *this) {
 static off_t file_plugin_read (input_plugin_t *this_gen, char *buf, off_t len) {
   file_input_plugin_t *this = (file_input_plugin_t *) this_gen;
 
+  if (len < 0)
+    return -1;
+
 #ifdef HAVE_MMAP
   if ( check_mmap_file(this) ) {
     off_t l = len;
@@ -166,6 +169,11 @@ static buf_element_t *file_plugin_read_block (input_plugin_t *this_gen, fifo_buf
   file_input_plugin_t  *this = (file_input_plugin_t *) this_gen;
   buf_element_t        *buf = fifo->buffer_pool_alloc (fifo);
 
+  if (todo < 0 || todo > buf->size) {
+    buf->free_buffer (buf);
+    return NULL;
+  }
+
   buf->type = BUF_DEMUX_BLOCK;
 
 #ifdef HAVE_MMAP