Sanity-check ASF header sizes.

This fixes a crash in the ASF demuxer, caused by the example exploit file given
for CVE-2006-1664.

1 files changed, 16 insertions, 1 deletions

diff --git a/src/demuxers/demux_asf.c b/src/demuxers/demux_asf.c
index c4a154f99..4eb9398be 100644
--- a/src/demuxers/demux_asf.c
+++ b/src/demuxers/demux_asf.c
@@ -379,10 +379,21 @@ static int asf_read_header (demux_asf_t *this) {
   char *asf_header_buffer = NULL;
 
   asf_header_len = get_le64(this);
-  asf_header_buffer = alloca(asf_header_len);
+  if (asf_header_len > 4 * 1024 * 1024)
+  {
+    xprintf(this->stream->xine, XINE_VERBOSITY_DEBUG, 
+	    "demux_asf: asf_read_header: overly-large header? (%"PRIu64" bytes)\n",
+	    asf_header_len);
+    return 0;
+  }
+
+  asf_header_buffer = malloc (asf_header_len);
 
   if (this->input->read (this->input, asf_header_buffer, asf_header_len) != asf_header_len)
+  {
+    free (asf_header_buffer);
     return 0;
+  }
 
   /* delete previous header */
   if (this->asf_header) {
@@ -395,7 +406,11 @@ static int asf_read_header (demux_asf_t *this) {
    */
   this->asf_header = asf_header_new(asf_header_buffer, asf_header_len);
   if (!this->asf_header)
+  {
+    free (asf_header_buffer);
     return 0;
+  }
+  free (asf_header_buffer);
 
   lprintf("asf header parsing ok\n");