summaryrefslogtreecommitdiff
path: root/src/input/mmsh.c
diff options
context:
space:
mode:
authorMatthias Hopf <mat@mshopf.de>2006-07-11 09:37:31 +0000
committerMatthias Hopf <mat@mshopf.de>2006-07-11 09:37:31 +0000
commitde69df94635a712b93877fb3b3260a3b03d09dd9 (patch)
tree79194f4f91fcc268ea56cef398c5ec3499e205c7 /src/input/mmsh.c
parent9a340e80da1385b3e790658b8f7b9830daef90f5 (diff)
downloadxine-lib-de69df94635a712b93877fb3b3260a3b03d09dd9.tar.gz
xine-lib-de69df94635a712b93877fb3b3260a3b03d09dd9.tar.bz2
Fixing some libmms related overflows.
Loosly based on: [vendor-sec] patch for libmms buffer overflows (CVE-2006-2200) CVS patchset: 8118 CVS date: 2006/07/11 09:37:31
Diffstat (limited to 'src/input/mmsh.c')
-rw-r--r--src/input/mmsh.c8
1 files changed, 6 insertions, 2 deletions
diff --git a/src/input/mmsh.c b/src/input/mmsh.c
index 3da85d0b0..0b63c8db3 100644
--- a/src/input/mmsh.c
+++ b/src/input/mmsh.c
@@ -17,7 +17,7 @@
* along with this program; if not, write to the Free Software
* Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA
*
- * $Id: mmsh.c,v 1.37 2006/06/20 01:46:41 dgp85 Exp $
+ * $Id: mmsh.c,v 1.38 2006/07/11 09:37:31 mshopf Exp $
*
* MMS over HTTP protocol
* written by Thibaut Mattern
@@ -182,7 +182,7 @@ struct mmsh_s {
int num_stream_ids;
int stream_ids[ASF_MAX_NUM_STREAMS];
int stream_types[ASF_MAX_NUM_STREAMS];
- int packet_length;
+ uint32_t packet_length;
int64_t file_length;
char guid[37];
uint32_t bitrates[ASF_MAX_NUM_STREAMS];
@@ -491,6 +491,10 @@ static void interp_header (mmsh_t *this) {
case GUID_ASF_FILE_PROPERTIES:
this->packet_length = LE_32(this->asf_header + i + 92 - 24);
+ if (this->packet_length > CHUNK_SIZE) {
+ this->packet_length = 0;
+ break;
+ }
this->file_length = LE_64(this->asf_header + i + 40 - 24);
/*lprintf ("file object, file_length = %lld, packet length = %d",
this->file_length, this->packet_count);*/
generated by cgit v1.2.3 (git 2.25.1) at 2025-07-23 14:42:11 +0000