diff options
| author | Matthias Hopf <mhopf@suse.de> | 2009-01-04 17:21:46 +0000 | 
|---|---|---|
| committer | Matthias Hopf <mhopf@suse.de> | 2009-01-04 17:21:46 +0000 | 
| commit | ba5f2ab8d7209f3971ecf22ea3bc5ee43a692b5c (patch) | |
| tree | a79d6e7a0b55fd40bdb0942909f45f036f03f2df /src | |
| parent | 0c51806592bae19fbc4f1f6615e5b3f4cb8e7dc3 (diff) | |
| download | xine-lib-ba5f2ab8d7209f3971ecf22ea3bc5ee43a692b5c.tar.gz xine-lib-ba5f2ab8d7209f3971ecf22ea3bc5ee43a692b5c.tar.bz2 | |
Fix for CVE-2008-5240
xine-lib 1.1.12, and other 1.1.15 and earlier versions, relies on an
untrusted input value to determine the memory allocation and does not
check the result for (1) the MATROSKA_ID_TR_CODECPRIVATE track entry
element processed by demux_matroska.c; and (2) PROP_TAG, (3) MDPR_TAG,
and (4) CONT_TAG chunks processed by the real_parse_headers function
in demux_real.c; which allows remote attackers to cause a denial of
service (NULL pointer dereference and crash) or possibly execute
arbitrary code via a crafted value.
Diffstat (limited to 'src')
| -rw-r--r-- | src/demuxers/demux_real.c | 7 | 
1 files changed, 6 insertions, 1 deletions
| diff --git a/src/demuxers/demux_real.c b/src/demuxers/demux_real.c index 965470125..efb39b75f 100644 --- a/src/demuxers/demux_real.c +++ b/src/demuxers/demux_real.c @@ -435,9 +435,14 @@ static void real_parse_headers (demux_real_t *this) {      case MDPR_TAG:      case CONT_TAG:        { +	if (chunk_size < PREAMBLE_SIZE+1) { +	  this->status = DEMUX_FINISHED; +	  return; +	}  	chunk_size -= PREAMBLE_SIZE;  	uint8_t *const chunk_buffer = malloc(chunk_size); -	if (this->input->read(this->input, chunk_buffer, chunk_size) != +	if (! chunk_buffer || +	    this->input->read(this->input, chunk_buffer, chunk_size) !=  	    chunk_size) {  	  free (chunk_buffer);  	  this->status = DEMUX_FINISHED; | 
