summaryrefslogtreecommitdiff
path: root/src/input/input_pnm.c
diff options
context:
space:
mode:
authorMatthias Hopf <mhopf@suse.de>2009-01-04 17:21:46 +0000
committerMatthias Hopf <mhopf@suse.de>2009-01-04 17:21:46 +0000
commit0c51806592bae19fbc4f1f6615e5b3f4cb8e7dc3 (patch)
treeedc869e912cdf626c2faf9656bd29a4641bba3a0 /src/input/input_pnm.c
parent49d4eec32b8c05eadfaf9c42b3dcd7407815fd9a (diff)
downloadxine-lib-0c51806592bae19fbc4f1f6615e5b3f4cb8e7dc3.tar.gz
xine-lib-0c51806592bae19fbc4f1f6615e5b3f4cb8e7dc3.tar.bz2
Fix for CVE-2008-5239
xine-lib 1.1.12, and other 1.1.15 and earlier versions, does not properly handle (a) negative and (b) zero values during unspecified read function calls in input_file.c, input_net.c, input_smb.c, and input_http.c, which allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via vectors such as (1) a file or (2) an HTTP response, which triggers consequences such as out-of-bounds reads and heap-based buffer overflows.
Diffstat (limited to 'src/input/input_pnm.c')
-rw-r--r--src/input/input_pnm.c18
1 files changed, 15 insertions, 3 deletions
diff --git a/src/input/input_pnm.c b/src/input/input_pnm.c
index 669d24d28..af2b8add2 100644
--- a/src/input/input_pnm.c
+++ b/src/input/input_pnm.c
@@ -83,7 +83,8 @@ static off_t pnm_plugin_read (input_plugin_t *this_gen,
lprintf ("pnm_plugin_read: %"PRId64" bytes ...\n", len);
n = pnm_read (this->pnm, buf, len);
- this->curpos += n;
+ if (n >= 0)
+ this->curpos += n;
return n;
}
@@ -96,6 +97,11 @@ static buf_element_t *pnm_plugin_read_block (input_plugin_t *this_gen,
lprintf ("pnm_plugin_read_block: %"PRId64" bytes...\n", todo);
+ if (todo < 0 || todo > buf->size) {
+ buf->free_buffer (buf);
+ return NULL;
+ }
+
buf->content = buf->mem;
buf->type = BUF_DEMUX_BLOCK;
@@ -123,10 +129,16 @@ static off_t pnm_plugin_seek (input_plugin_t *this_gen, off_t offset, int origin
if ((origin == SEEK_CUR) && (offset >= 0)) {
for (;((int)offset) - BUFSIZE > 0; offset -= BUFSIZE) {
- this->curpos += pnm_plugin_read (this_gen, this->scratch, BUFSIZE);
+ off_t n = pnm_plugin_read (this_gen, this->scratch, BUFSIZE);
+ if (n <= 0)
+ return this->curpos;
+ this->curpos += n;
}
- this->curpos += pnm_plugin_read (this_gen, this->scratch, offset);
+ off_t n = pnm_plugin_read (this_gen, this->scratch, offset);
+ if (n <= 0)
+ return this->curpos;
+ this->curpos += n;
}
return this->curpos;