diff options
| author | Matthias Hopf <mhopf@suse.de> | 2009-01-04 17:21:46 +0000 |
|---|---|---|
| committer | Matthias Hopf <mhopf@suse.de> | 2009-01-04 17:21:46 +0000 |
| commit | 0c51806592bae19fbc4f1f6615e5b3f4cb8e7dc3 (patch) | |
| tree | edc869e912cdf626c2faf9656bd29a4641bba3a0 /src/input/input_http.c | |
| parent | 49d4eec32b8c05eadfaf9c42b3dcd7407815fd9a (diff) | |
| download | xine-lib-0c51806592bae19fbc4f1f6615e5b3f4cb8e7dc3.tar.gz xine-lib-0c51806592bae19fbc4f1f6615e5b3f4cb8e7dc3.tar.bz2 | |
Fix for CVE-2008-5239
xine-lib 1.1.12, and other 1.1.15 and earlier versions, does not
properly handle (a) negative and (b) zero values during unspecified
read function calls in input_file.c, input_net.c, input_smb.c, and
input_http.c, which allows remote attackers to cause a denial of
service (crash) or possibly execute arbitrary code via vectors such as
(1) a file or (2) an HTTP response, which triggers consequences such
as out-of-bounds reads and heap-based buffer overflows.
Diffstat (limited to 'src/input/input_http.c')
| -rw-r--r-- | src/input/input_http.c | 15 |
1 files changed, 12 insertions, 3 deletions
diff --git a/src/input/input_http.c b/src/input/input_http.c index 169a0d384..3cb745656 100644 --- a/src/input/input_http.c +++ b/src/input/input_http.c @@ -421,6 +421,9 @@ static off_t http_plugin_read (input_plugin_t *this_gen, num_bytes = 0; + if (nlen < 0) + return -1; + if (this->curpos < this->preview_size) { if (nlen > (this->preview_size - this->curpos)) @@ -437,7 +440,7 @@ static off_t http_plugin_read (input_plugin_t *this_gen, n = nlen - num_bytes; - if (n) { + if (n > 0) { int read_bytes; read_bytes = http_plugin_read_int (this, &buf[num_bytes], n); @@ -503,6 +506,11 @@ static buf_element_t *http_plugin_read_block (input_plugin_t *this_gen, fifo_buf off_t total_bytes; buf_element_t *buf = fifo->buffer_pool_alloc (fifo); + if (todo < 0 || todo > buf->size) { + buf->free_buffer (buf); + return NULL; + } + buf->content = buf->mem; buf->type = BUF_DEMUX_BLOCK; @@ -554,7 +562,7 @@ static off_t http_plugin_seek(input_plugin_t *this_gen, off_t offset, int origin if ((origin == SEEK_CUR) && (offset >= 0)) { for (;((int)offset) - BUFSIZE > 0; offset -= BUFSIZE) { - if( !this_gen->read (this_gen, this->seek_buf, BUFSIZE) ) + if( this_gen->read (this_gen, this->seek_buf, BUFSIZE) <= 0 ) return this->curpos; } @@ -576,7 +584,7 @@ static off_t http_plugin_seek(input_plugin_t *this_gen, off_t offset, int origin offset -= this->curpos; for (;((int)offset) - BUFSIZE > 0; offset -= BUFSIZE) { - if( !this_gen->read (this_gen, this->seek_buf, BUFSIZE) ) + if( this_gen->read (this_gen, this->seek_buf, BUFSIZE) <= 0 ) return this->curpos; } @@ -996,6 +1004,7 @@ static int http_plugin_open (input_plugin_t *this_gen ) { this->preview_size = http_plugin_read_int (this, this->preview, MAX_PREVIEW_SIZE); } if (this->preview_size < 0) { + this->preview_size = 0; xine_log (this->stream->xine, XINE_LOG_MSG, _("input_http: read error %d\n"), errno); return -12; } |