2 files changed, 18 insertions, 1 deletions

diff --git a/ChangeLog b/ChangeLog
index 0442e5d2d..3dfa097e0 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -8,6 +8,8 @@ xine-lib (1.1.10) (unreleased)
     end authors should be careful with xine-lib older than 1.1.10.
   * Backported xine-config & libxine.pc from 1.2.
     Consequently, xine-config now requires pkg-config.
+  * Sanity-check ASF header sizes. This fixes a crash in the ASF demuxer,
+    caused by the example exploit given for CVE-2006-1664.
 
 xine-lib (1.1.9.1) 2008-01-11
   * Security fixes:
diff --git a/src/demuxers/demux_asf.c b/src/demuxers/demux_asf.c
index c4a154f99..4eb9398be 100644
--- a/src/demuxers/demux_asf.c
+++ b/src/demuxers/demux_asf.c
@@ -379,10 +379,21 @@ static int asf_read_header (demux_asf_t *this) {
   char *asf_header_buffer = NULL;
 
   asf_header_len = get_le64(this);
-  asf_header_buffer = alloca(asf_header_len);
+  if (asf_header_len > 4 * 1024 * 1024)
+  {
+    xprintf(this->stream->xine, XINE_VERBOSITY_DEBUG, 
+	    "demux_asf: asf_read_header: overly-large header? (%"PRIu64" bytes)\n",
+	    asf_header_len);
+    return 0;
+  }
+
+  asf_header_buffer = malloc (asf_header_len);
 
   if (this->input->read (this->input, asf_header_buffer, asf_header_len) != asf_header_len)
+  {
+    free (asf_header_buffer);
     return 0;
+  }
 
   /* delete previous header */
   if (this->asf_header) {
@@ -395,7 +406,11 @@ static int asf_read_header (demux_asf_t *this) {
    */
   this->asf_header = asf_header_new(asf_header_buffer, asf_header_len);
   if (!this->asf_header)
+  {
+    free (asf_header_buffer);
     return 0;
+  }
+  free (asf_header_buffer);
 
   lprintf("asf header parsing ok\n");