From afa345a236a04cb2526fa9350b1767fdd9972fcf Mon Sep 17 00:00:00 2001
From: Darren Salt <linux@youmustbejoking.demon.co.uk>
Date: Thu, 7 Aug 2008 14:03:52 +0100
Subject: Fix crashes with fuzzed Ogg files. (CVE-2008-3231)

--HG--
extra : transplant_source : %9F%E8R%D8%94R%9CJ%7F%5E%A7%DB%29%0DK%CD%CA%AD%7F%08
---
 ChangeLog                | 2 ++
 src/demuxers/demux_ogg.c | 8 +++++++-
 2 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/ChangeLog b/ChangeLog
index b3dc760ff..0482c3b93 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,4 +1,6 @@
 xine-lib (1.1.15) 2008-??-??
+  * Security fixes:
+    - Fix crashes with corrupted Ogg files. (CVE-2008-3231)
   * Use external ffmpeg by default.
   * V4L: Don't segfault if asked for an input that doesn't exist
   * Recognise AMR audio (normally found in 3GP files).
diff --git a/src/demuxers/demux_ogg.c b/src/demuxers/demux_ogg.c
index 2cbba982f..9e9de45aa 100644
--- a/src/demuxers/demux_ogg.c
+++ b/src/demuxers/demux_ogg.c
@@ -1357,7 +1357,7 @@ static void send_header (demux_ogg_t *this) {
   this->ignore_keyframes = 0;
 
   while (!done) {
-    if (!read_ogg_packet(this)) {
+    if (!read_ogg_packet(this) || !this->og.header || !this->og.body) {
       return;
     }
     /* now we've got at least one new page */
@@ -1483,6 +1483,12 @@ static int demux_ogg_send_chunk (demux_plugin_t *this_gen) {
     return this->status;
   }
 
+  if (!this->og.header || !this->og.body) {
+    this->status = DEMUX_FINISHED;
+    lprintf ("EOF\n");
+    return this->status;
+  }
+
   /* now we've got one new page */
 
   cur_serno = ogg_page_serialno (&this->og);
-- 
cgit v1.2.3