From c9450dc0b04d03c85fc7183562d7a66c538f9df8 Mon Sep 17 00:00:00 2001 From: Michael Roitzsch Date: Wed, 15 Dec 2004 21:03:02 +0000 Subject: check for the chunk size the file tells us before blindly overflowing the buffer; this was remotely exploitable, thanks to Ariel Berkman for catching this and D. J. Bernstein for reporting it CVS patchset: 7261 CVS date: 2004/12/15 21:03:02 --- src/demuxers/demux_aiff.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/src/demuxers/demux_aiff.c b/src/demuxers/demux_aiff.c index 3589cadd0..253827454 100644 --- a/src/demuxers/demux_aiff.c +++ b/src/demuxers/demux_aiff.c @@ -21,7 +21,7 @@ /* * AIFF File Demuxer by Mike Melanson (melanson@pcisys.net) * - * $Id: demux_aiff.c,v 1.39 2004/06/13 21:28:52 miguelfreitas Exp $ + * $Id: demux_aiff.c,v 1.40 2004/12/15 21:03:02 mroi Exp $ * */ @@ -120,6 +120,12 @@ static int open_aiff_file(demux_aiff_t *this) { } chunk_type = BE_32(&preamble[0]); chunk_size = BE_32(&preamble[4]); + + if (chunk_size > sizeof(buffer) / sizeof(buffer[0])) { + /* the chunk is too large to fit in the buffer -> this cannot be an aiff chunk */ + this->status = DEMUX_FINISHED; + return 0; + } if (chunk_type == COMM_TAG) { if (this->input->read(this->input, buffer, chunk_size) != -- cgit v1.2.3