diff options
| author | Darren Salt <linux@youmustbejoking.demon.co.uk> | 2009-01-16 18:16:17 +0000 |
|---|---|---|
| committer | Darren Salt <linux@youmustbejoking.demon.co.uk> | 2009-01-16 18:16:17 +0000 |
| commit | cc96350ed25b072190267641a6af7974524b6d4e (patch) | |
| tree | d36581384777f2b99bdfa2739f1f6aa91ca1da78 /src | |
| parent | 330f70c22473c5e34607eec6115fe23808bbb7ed (diff) | |
| download | xine-lib-cc96350ed25b072190267641a6af7974524b6d4e.tar.gz xine-lib-cc96350ed25b072190267641a6af7974524b6d4e.tar.bz2 | |
Fix a broken size check in the pvr input plugin (ref. CVE-2008-5239).
Diffstat (limited to 'src')
| -rw-r--r-- | src/input/input_pvr.c | 10 |
1 files changed, 6 insertions, 4 deletions
diff --git a/src/input/input_pvr.c b/src/input/input_pvr.c index 18d29f6be..5238fccbc 100644 --- a/src/input/input_pvr.c +++ b/src/input/input_pvr.c @@ -1202,14 +1202,17 @@ static buf_element_t *pvr_plugin_read_block (input_plugin_t *this_gen, fifo_buff buf_element_t *buf; int speed = _x_get_speed(this->stream); - if (todo < 0 || todo > buf->size) - return NULL; - if( !this->pvr_running ) { xprintf(this->stream->xine, XINE_VERBOSITY_DEBUG, "input_pvr: thread died, aborting\n"); return NULL; } + buf = fifo->buffer_pool_alloc (fifo); + if (todo < 0 || todo > buf->size) { + buf->free_buffer(buf); + return NULL; + } + if( this->scr_tunning == -2 ) speed = this->speed_before_pause; @@ -1233,7 +1236,6 @@ static buf_element_t *pvr_plugin_read_block (input_plugin_t *this_gen, fifo_buff pvr_event_handler(this); - buf = fifo->buffer_pool_alloc (fifo); buf->content = buf->mem; pthread_mutex_lock(&this->lock); |