Fix for CVE-2008-5239

xine-lib 1.1.12, and other 1.1.15 and earlier versions, does not properly handle (a) negative and (b) zero values during unspecified read function calls in input_file.c, input_net.c, input_smb.c, and input_http.c, which allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via vectors such as (1) a file or (2) an HTTP response, which triggers consequences such as out-of-bounds reads and heap-based buffer overflows.
author: Matthias Hopf <mhopf@suse.de> 2009-01-04 17:21:46 +0000
committer: Matthias Hopf <mhopf@suse.de> 2009-01-04 17:21:46 +0000
commit: 0c51806592bae19fbc4f1f6615e5b3f4cb8e7dc3 (patch)
tree: edc869e912cdf626c2faf9656bd29a4641bba3a0 /src/input/input_mms.c
parent: 49d4eec32b8c05eadfaf9c42b3dcd7407815fd9a (diff)
download: xine-lib-0c51806592bae19fbc4f1f6615e5b3f4cb8e7dc3.tar.gz
xine-lib-0c51806592bae19fbc4f1f6615e5b3f4cb8e7dc3.tar.bz2
1 files changed, 5 insertions, 0 deletions
diff --git a/src/input/input_mms.c b/src/input/input_mms.c
index 158b40448..d5cc0a2ac 100644
--- a/src/input/input_mms.c
+++ b/src/input/input_mms.c
@@ -122,6 +122,11 @@ static buf_element_t *mms_plugin_read_block (input_plugin_t *this_gen,
 
   lprintf ("mms_plugin_read_block: %"PRId64" bytes...\n", todo);
 
+  if (todo < 0 || todo > buf->size) {
+    buf->free_buffer (buf);
+    return NULL;
+  }
+
   buf->content = buf->mem;
   buf->type = BUF_DEMUX_BLOCK;
author	Matthias Hopf <mhopf@suse.de>	2009-01-04 17:21:46 +0000
committer	Matthias Hopf <mhopf@suse.de>	2009-01-04 17:21:46 +0000
commit	0c51806592bae19fbc4f1f6615e5b3f4cb8e7dc3 (patch)
tree	edc869e912cdf626c2faf9656bd29a4641bba3a0 /src/input/input_mms.c
parent	49d4eec32b8c05eadfaf9c42b3dcd7407815fd9a (diff)
download	xine-lib-0c51806592bae19fbc4f1f6615e5b3f4cb8e7dc3.tar.gz xine-lib-0c51806592bae19fbc4f1f6615e5b3f4cb8e7dc3.tar.bz2