Fix a possible integer overflow in the 4XM demuxer. (TKADV2009-004.txt)

author: Darren Salt <linux@youmustbejoking.demon.co.uk> 2009-02-10 17:17:50 +0000
committer: Darren Salt <linux@youmustbejoking.demon.co.uk> 2009-02-10 17:17:50 +0000
commit: ec17a06e90ae960595fce584ce1b161f2674293e (patch)
tree: 5ab9fad20c663e40f38125e798c198b0d918d804 /src
parent: a0b9021d54dc9890da5f0c9bd26361db4556f6c2 (diff)
download: xine-lib-ec17a06e90ae960595fce584ce1b161f2674293e.tar.gz
xine-lib-ec17a06e90ae960595fce584ce1b161f2674293e.tar.bz2
1 files changed, 4 insertions, 0 deletions
diff --git a/src/demuxers/demux_4xm.c b/src/demuxers/demux_4xm.c
index a02a4b597..015ed8b2f 100644
--- a/src/demuxers/demux_4xm.c
+++ b/src/demuxers/demux_4xm.c
@@ -192,6 +192,10 @@ static int open_fourxm_file(demux_fourxm_t *fourxm) {
       const uint32_t current_track = _X_LE_32(&header[i + 8]);
       if (current_track + 1 > fourxm->track_count) {
         fourxm->track_count = current_track + 1;
+        if (fourxm->track_count >= UINT_MAX / sizeof(audio_track_t)) {
+          free(header);
+          return 0;
+        }
         fourxm->tracks = realloc(fourxm->tracks,
           fourxm->track_count * sizeof(audio_track_t));
         if (!fourxm->tracks) {
author	Darren Salt <linux@youmustbejoking.demon.co.uk>	2009-02-10 17:17:50 +0000
committer	Darren Salt <linux@youmustbejoking.demon.co.uk>	2009-02-10 17:17:50 +0000
commit	ec17a06e90ae960595fce584ce1b161f2674293e (patch)
tree	5ab9fad20c663e40f38125e798c198b0d918d804 /src
parent	a0b9021d54dc9890da5f0c9bd26361db4556f6c2 (diff)
download	xine-lib-ec17a06e90ae960595fce584ce1b161f2674293e.tar.gz xine-lib-ec17a06e90ae960595fce584ce1b161f2674293e.tar.bz2