diff options
| -rw-r--r-- | ChangeLog | 2 | ||||
| -rw-r--r-- | src/libxineadec/xine_speex_decoder.c | 9 |
2 files changed, 9 insertions, 2 deletions
@@ -1,4 +1,6 @@ xine-lib (1.1.12) 2008-??-?? + * Security fixes: + - Insufficient boundary check in speex audio decoder. (CVE-2008-1686) * Fixed and improved the PulseAudio driver. * Fixed a regression in 1.1.11.1 which broke Quicktime container handling. * And another, this time in the Matroska demuxer. diff --git a/src/libxineadec/xine_speex_decoder.c b/src/libxineadec/xine_speex_decoder.c index aa8234385..2804b1308 100644 --- a/src/libxineadec/xine_speex_decoder.c +++ b/src/libxineadec/xine_speex_decoder.c @@ -204,7 +204,7 @@ static void speex_decode_data (audio_decoder_t *this_gen, buf_element_t *buf) { if (!this->st) { SpeexMode * spx_mode; SpeexHeader * spx_header; - int modeID; + unsigned int modeID; int bitrate; speex_bits_init (&this->bits); @@ -216,7 +216,12 @@ static void speex_decode_data (audio_decoder_t *this_gen, buf_element_t *buf) { return; } - modeID = spx_header->mode; + modeID = (unsigned int)spx_header->mode; + if (modeID >= SPEEX_NB_MODES) { + xprintf(this->stream->xine, XINE_VERBOSITY_DEBUG, LOG_MODULE ": invalid mode ID %u\n", modeID); + return; + } + spx_mode = (SpeexMode *) speex_mode_list[modeID]; if (spx_mode->bitstream_version != spx_header->mode_bitstream_version) { |