From 49d4eec32b8c05eadfaf9c42b3dcd7407815fd9a Mon Sep 17 00:00:00 2001
From: Matthias Hopf <mhopf@suse.de>
Date: Sun, 4 Jan 2009 17:21:46 +0000
Subject: Fix for CVE-2008-5237 Multiple integer overflows in xine-lib 1.1.12,
 and other 1.1.15 and earlier versions, allow remote attackers to cause a
 denial of service (crash) or possibly execute arbitrary code via (1) crafted
 width and height values that are not validated by the mymng_process_header
 function in demux_mng.c before use in an allocation calculation or (2)
 crafted current_atom_size and string_size values processed by the
 parse_reference_atom function in demux_qt.c.

---
 src/demuxers/demux_mng.c | 3 +++
 src/demuxers/demux_qt.c  | 9 +++++++--
 2 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/src/demuxers/demux_mng.c b/src/demuxers/demux_mng.c
index 0fcdb24ff..b57a349c5 100644
--- a/src/demuxers/demux_mng.c
+++ b/src/demuxers/demux_mng.c
@@ -112,6 +112,9 @@ static mng_bool mymng_read_stream(mng_handle mngh, mng_ptr buffer, mng_uint32 si
 static mng_bool mymng_process_header(mng_handle mngh, mng_uint32 width, mng_uint32 height){
   demux_mng_t *this = (demux_mng_t*)mng_get_userdata(mngh);
 
+  if (width > 0x8000 || height > 0x8000)
+      return MNG_FALSE;
+
   this->bih.biWidth = (width + 7) & ~7;
   this->bih.biHeight = height;
   this->left_edge = (this->bih.biWidth - width) / 2;
diff --git a/src/demuxers/demux_qt.c b/src/demuxers/demux_qt.c
index 3d4161fbf..c569ef9a4 100644
--- a/src/demuxers/demux_qt.c
+++ b/src/demuxers/demux_qt.c
@@ -1597,13 +1597,16 @@ static qt_error parse_reference_atom (reference_t *ref,
   qt_atom current_atom;
   unsigned int current_atom_size;
 
+  if (ref_atom_size >= 0x80000000)
+    return QT_NOT_A_VALID_FILE;
+
   /* initialize reference atom */
   ref->url = NULL;
   ref->data_rate = 0;
   ref->qtim_version = 0;
 
   /* traverse through the atom looking for the key atoms */
-  for (i = ATOM_PREAMBLE_SIZE; i < ref_atom_size - 4; i++) {
+  for (i = ATOM_PREAMBLE_SIZE; i + 4 < ref_atom_size; i++) {
 
     current_atom_size = _X_BE_32(&ref_atom[i - 4]);
     current_atom = _X_BE_32(&ref_atom[i]);
@@ -1612,7 +1615,7 @@ static qt_error parse_reference_atom (reference_t *ref,
       size_t string_size = _X_BE_32(&ref_atom[i + 12]);
       size_t url_offset = 0;
 
-      if (string_size >= current_atom_size || i + string_size >= ref_atom_size)
+      if (string_size >= current_atom_size || string_size >= ref_atom_size - i)
         return QT_NOT_A_VALID_FILE;
 
       /* if the URL starts with "http://", copy it */
@@ -1620,6 +1623,8 @@ static qt_error parse_reference_atom (reference_t *ref,
 	   memcmp(&ref_atom[i + 16], "rtsp://", 7) &&
 	   base_mrl )
 	url_offset = strlen(base_mrl);
+      if (url_offset >= 0x80000000)
+        return QT_NOT_A_VALID_FILE;
 
       /* otherwise, append relative URL to base MRL */
       string_size += url_offset;
-- 
cgit v1.2.3