Fix for CVE-2008-5239

xine-lib 1.1.12, and other 1.1.15 and earlier versions, does not
properly handle (a) negative and (b) zero values during unspecified
read function calls in input_file.c, input_net.c, input_smb.c, and
input_http.c, which allows remote attackers to cause a denial of
service (crash) or possibly execute arbitrary code via vectors such as
(1) a file or (2) an HTTP response, which triggers consequences such
as out-of-bounds reads and heap-based buffer overflows.

1 files changed, 11 insertions, 1 deletions

diff --git a/src/input/input_rtp.c b/src/input/input_rtp.c
index 66fcba87e..8d07eb6cf 100644
--- a/src/input/input_rtp.c
+++ b/src/input/input_rtp.c
@@ -453,6 +453,9 @@ static off_t rtp_plugin_read (input_plugin_t *this_gen,
   struct timespec timeout;
   off_t copied = 0; 
   
+  if (length < 0)
+    return -1;
+
   while(length > 0) {
 
     off_t n;
@@ -524,6 +527,10 @@ static buf_element_t *rtp_plugin_read_block (input_plugin_t *this_gen,
   buf_element_t        *buf = fifo->buffer_pool_alloc (fifo);
   int                   total_bytes;
 
+  if (todo < 0 || todo > buf->size) {
+    buf->free_buffer (buf);
+    return NULL;
+  }
 
   buf->content = buf->mem;
   buf->type    = BUF_DEMUX_BLOCK;
@@ -609,11 +616,14 @@ static int rtp_plugin_get_optional_data (input_plugin_t *this_gen,
   if (data_type == INPUT_OPTIONAL_DATA_PREVIEW) {
     if (!this->preview_read_done) {
       this->preview_size = rtp_plugin_read(this_gen, this->preview, MAX_PREVIEW_SIZE);
+      if (this->preview_size < 0)
+	this->preview_size = 0;
       lprintf("Preview data length = %d\n", this->preview_size);
 
       this->preview_read_done = 1;
     }
-    memcpy(data, this->preview, this->preview_size);
+    if (this->preview_size)
+      memcpy(data, this->preview, this->preview_size);
     return this->preview_size;
   }
   else {