diff options
| author | Darren Salt <linux@youmustbejoking.demon.co.uk> | 2009-02-10 17:17:50 +0000 |
|---|---|---|
| committer | Darren Salt <linux@youmustbejoking.demon.co.uk> | 2009-02-10 17:17:50 +0000 |
| commit | a0b9021d54dc9890da5f0c9bd26361db4556f6c2 (patch) | |
| tree | 980f00f5a31e15e5ef3eeb400d5883b6b1d2643b /src/input/input_rtp.c | |
| parent | 2afab9c8441685d1ec8f6ef5c9f8c4a163533dfa (diff) | |
| download | xine-lib-a0b9021d54dc9890da5f0c9bd26361db4556f6c2.tar.gz xine-lib-a0b9021d54dc9890da5f0c9bd26361db4556f6c2.tar.bz2 | |
Fix broken size checks in various input plugins (ref. CVE-2008-5239).
Diffstat (limited to 'src/input/input_rtp.c')
| -rw-r--r-- | src/input/input_rtp.c | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/src/input/input_rtp.c b/src/input/input_rtp.c index 8d07eb6cf..90bae6670 100644 --- a/src/input/input_rtp.c +++ b/src/input/input_rtp.c @@ -527,7 +527,9 @@ static buf_element_t *rtp_plugin_read_block (input_plugin_t *this_gen, buf_element_t *buf = fifo->buffer_pool_alloc (fifo); int total_bytes; - if (todo < 0 || todo > buf->size) { + if (todo > buf->max_size) + todo = buf->max_size; + if (todo < 0) { buf->free_buffer (buf); return NULL; } |