From 4fca100da81fd2a3fe96a7b05b19c54a2274080d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Diego=20=27Flameeyes=27=20Petten=C3=B2?=
 <flameeyes@gmail.com>
Date: Wed, 29 Nov 2006 21:26:52 +0000
Subject: =?UTF-8?q?Fix=20a=20serious=20overflow=20for=20the=20asf=5Fheader?=
 =?UTF-8?q?,=20use=20an=20alloca()=20buffer=20while=20reading=20rather=20t?=
 =?UTF-8?q?han=20using=20a=20fixed-size=20buffer.=20This=20fixes=20the=20c?=
 =?UTF-8?q?rash=20reported=20by=20=C4=B0smail=20D=C3=B6nmez=20in=20WMA=20f?=
 =?UTF-8?q?iles,=20and=20prevents=20possible=20exploits.=20Also=20thanks?=
 =?UTF-8?q?=20to=20Tavis=20Ormandy=20for=20the=20help=20handling=20the=20p?=
 =?UTF-8?q?roblem.?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

CVS patchset: 8393
CVS date: 2006/11/29 21:26:52
---
 src/demuxers/demux_asf.c | 15 +++++++--------
 1 file changed, 7 insertions(+), 8 deletions(-)

diff --git a/src/demuxers/demux_asf.c b/src/demuxers/demux_asf.c
index d215e5cd9..ba31d6e51 100644
--- a/src/demuxers/demux_asf.c
+++ b/src/demuxers/demux_asf.c
@@ -17,7 +17,7 @@
  * along with this program; if not, write to the Free Software
  * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307, USA
  *
- * $Id: demux_asf.c,v 1.187 2006/11/26 17:03:12 klan Exp $
+ * $Id: demux_asf.c,v 1.188 2006/11/29 21:26:52 dgp85 Exp $
  *
  * demultiplexer for asf streams
  *
@@ -70,8 +70,6 @@
 #define ASF_MODE_ASF_REF           3
 #define ASF_MODE_ENCRYPTED_CONTENT 4
 
-#define ASF_HEADER_SIZE          8192  /* max header size */
-
 typedef struct {
   int                 seq;
 
@@ -154,8 +152,6 @@ typedef struct demux_asf_s {
   /* for fewer error messages */
   GUID               last_unknown_guid;
 
-  uint8_t            asf_header_buffer[ASF_HEADER_SIZE];
-  uint32_t           asf_header_len;
   asf_header_t      *asf_header;
 
 } demux_asf_t ;
@@ -378,10 +374,13 @@ static void asf_send_video_header (demux_asf_t *this, int stream) {
 
 static int asf_read_header (demux_asf_t *this) {
   int i;
+  uint64_t asf_header_len;
+  char *asf_header_buffer = NULL;
 
-  this->asf_header_len = get_le64(this);
+  asf_header_len = get_le64(this);
+  asf_header_buffer = alloca(asf_header_len);
 
-  if (this->input->read (this->input, this->asf_header_buffer, this->asf_header_len) != this->asf_header_len)
+  if (this->input->read (this->input, asf_header_buffer, asf_header_len) != asf_header_len)
     return 0;
 
   /* delete previous header */
@@ -393,7 +392,7 @@ static int asf_read_header (demux_asf_t *this) {
    *   byte  0-15: header guid
    *   byte 16-23: header length
    */
-  this->asf_header = asf_header_new(this->asf_header_buffer, this->asf_header_len);
+  this->asf_header = asf_header_new(asf_header_buffer, asf_header_len);
   if (!this->asf_header)
     return 0;
 
-- 
cgit v1.2.3