diff options
| -rw-r--r-- | ChangeLog | 6 | ||||
| -rw-r--r-- | src/demuxers/demux_4xm.c | 4 |
2 files changed, 7 insertions, 3 deletions
@@ -1,4 +1,7 @@ xine-lib (1.1.17) 2009-??-?? + * Security fixes: + - Fix another possible int overflow in the 4XM demuxer. + (ref. TKADV2009-004, CVE-2009-0385) * Enable libmpeg2new (if configured with --enable-libmpeg2new). This is not yet production code; the old mpeg2 decoder remains the default. * Add support for OpenBSD. @@ -18,7 +21,8 @@ xine-lib (1.1.16.2) 2009-02-10 * Fix broken size checks in various input plugins (ref. CVE-2008-5239). * More malloc checking (ref. CVE-2008-5240). * Fix race conditions in gapless_switch (ref. kde bug #180339) - * Fix a possible integer overflow in the 4XM demuxer. (TKADV2009-004.txt) + * Fix a possible integer overflow in the 4XM demuxer. + (TKADV2009-004, CVE-2009-0385) xine-lib (1.1.16.1) 2009-01-11 * Fix build with older ffmpeg, both internal and in Debian 5.0. diff --git a/src/demuxers/demux_4xm.c b/src/demuxers/demux_4xm.c index 015ed8b2f..397a271b8 100644 --- a/src/demuxers/demux_4xm.c +++ b/src/demuxers/demux_4xm.c @@ -190,9 +190,9 @@ static int open_fourxm_file(demux_fourxm_t *fourxm) { return 0; } const uint32_t current_track = _X_LE_32(&header[i + 8]); - if (current_track + 1 > fourxm->track_count) { + if (current_track >= fourxm->track_count) { fourxm->track_count = current_track + 1; - if (fourxm->track_count >= UINT_MAX / sizeof(audio_track_t)) { + if (!fourxm->track_count || fourxm->track_count >= UINT_MAX / sizeof(audio_track_t)) { free(header); return 0; } |