From ec17a06e90ae960595fce584ce1b161f2674293e Mon Sep 17 00:00:00 2001 From: Darren Salt Date: Tue, 10 Feb 2009 17:17:50 +0000 Subject: Fix a possible integer overflow in the 4XM demuxer. (TKADV2009-004.txt) --- ChangeLog | 1 + src/demuxers/demux_4xm.c | 4 ++++ 2 files changed, 5 insertions(+) diff --git a/ChangeLog b/ChangeLog index ebff0e5de..bdfaf1d23 100644 --- a/ChangeLog +++ b/ChangeLog @@ -8,6 +8,7 @@ xine-lib (1.1.17) 2009-??-?? * Fix broken size checks in various input plugins (ref. CVE-2008-5239). * More malloc checking (ref. CVE-2008-5240). * Fix race conditions in gapless_switch (ref. kde bug #180339) + * Fix a possible integer overflow in the 4XM demuxer. (TKADV2009-004.txt) xine-lib (1.1.16.1) 2009-01-11 * Fix build with older ffmpeg, both internal and in Debian 5.0. diff --git a/src/demuxers/demux_4xm.c b/src/demuxers/demux_4xm.c index a02a4b597..015ed8b2f 100644 --- a/src/demuxers/demux_4xm.c +++ b/src/demuxers/demux_4xm.c @@ -192,6 +192,10 @@ static int open_fourxm_file(demux_fourxm_t *fourxm) { const uint32_t current_track = _X_LE_32(&header[i + 8]); if (current_track + 1 > fourxm->track_count) { fourxm->track_count = current_track + 1; + if (fourxm->track_count >= UINT_MAX / sizeof(audio_track_t)) { + free(header); + return 0; + } fourxm->tracks = realloc(fourxm->tracks, fourxm->track_count * sizeof(audio_track_t)); if (!fourxm->tracks) { -- cgit v1.2.3