From 344c697e75c3fdd1067dc90fc2edc7a19c49466b Mon Sep 17 00:00:00 2001
From: Darren Salt <linux@youmustbejoking.demon.co.uk>
Date: Fri, 8 Aug 2008 11:10:30 +0100
Subject: Fix crash with corrupted AVI files (chunk size).

--HG--
extra : transplant_source : Z%F0%90e%A3%94%D3%7F%D9ROC8%3C%FD%F5FO%BFU
---
 ChangeLog                | 4 ++--
 src/demuxers/demux_avi.c | 8 +++++++-
 2 files changed, 9 insertions(+), 3 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index b5bb357f7..0d5b46f7a 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,7 +1,7 @@
 xine-lib (1.1.15) 2008-??-??
   * Security fixes:
-    - Fix crashes with corrupted Ogg files. (CVE-2008-3231)
-    - Fix crashes with fuzzed Windows Media files.
+    - Fix crashes with various corrupted media files, including Ogg.
+      (CVE-2008-3231)
     - Delay V4L video frame preallocation until we know how large they'll be.
   * Use external ffmpeg by default.
   * V4L: Don't segfault if asked for an input that doesn't exist.
diff --git a/src/demuxers/demux_avi.c b/src/demuxers/demux_avi.c
index 16b897711..0ab3448bb 100644
--- a/src/demuxers/demux_avi.c
+++ b/src/demuxers/demux_avi.c
@@ -317,6 +317,8 @@ typedef struct {
                                       getIndex==0, but an operation has been
                                       performed that needs an index */
 
+#define AVI_ERR_BAD_SIZE    14     /* A chunk has an invalid size */
+
 #define AVI_HEADER_UNKNOWN  -1
 #define AVI_HEADER_AUDIO     0
 #define AVI_HEADER_VIDEO     1
@@ -780,7 +782,7 @@ static avi_t *XINE_MALLOC AVI_init(demux_avi_t *this) {
     lprintf("chunk: %c%c%c%c, size: %" PRId64 "\n",
             data[0], data[1], data[2], data[3], (int64_t)n);
     
-    if((strncasecmp(data,"LIST",4) == 0) && (n >= 4)) {
+    if (n >= 4 && strncasecmp(data,"LIST",4) == 0) {
       if( this->input->read(this->input, data,4) != 4 ) ERR_EXIT(AVI_ERR_READ);
       n -= 4;
       
@@ -835,6 +837,8 @@ static avi_t *XINE_MALLOC AVI_init(demux_avi_t *this) {
   /* Interpret the header list */
 
   for (i = 0; i < hdrl_len;) {
+    const int old_i = i;
+
     /* List tags are completly ignored */
     lprintf("tag: %c%c%c%c\n",
             hdrl_data[i], hdrl_data[i+1], hdrl_data[i+2], hdrl_data[i+3]);
@@ -1081,6 +1085,8 @@ static avi_t *XINE_MALLOC AVI_init(demux_avi_t *this) {
       lasttag = 0;
     }
     i += n;
+    if (i <= old_i)
+      ERR_EXIT(AVI_ERR_BAD_SIZE);
   }
 
   if( hdrl_data )
-- 
cgit v1.2.3