From 613653ef0702ef2d0b6c95b0391631d2597b5464 Mon Sep 17 00:00:00 2001
From: Tielei <wangtielei@icst.pku.edu.cn>
Date: Thu, 21 Aug 2008 00:18:00 +0000
Subject: Two potential integer overflows in cdda_server There are two
 potential integer overflow bugs in process_commands(). process_commands()
 reads some tainted data from socket to "cmd", but doesn't check cmd rightly.

--HG--
extra : transplant_source : z%12%ABF%D9%EF%92%A1M%B2%FCx%82%26%82%EEaM%2A%C1
---
 misc/cdda_server.c | 11 +++++++++++
 1 file changed, 11 insertions(+)

(limited to 'misc/cdda_server.c')

diff --git a/misc/cdda_server.c b/misc/cdda_server.c
index 553ec0a8a..0e2817db3 100644
--- a/misc/cdda_server.c
+++ b/misc/cdda_server.c
@@ -480,6 +480,12 @@ static int process_commands( int socket )
 
         sscanf(cmd,"%*s %d %d", &start_frame, &num_frames);
 
+        if (num_frames > INT_MAX / CD_RAW_FRAME_SIZE)
+        {
+          printf ("fatal error: integer overflow\n");
+          exit (1);
+        }
+
         n = num_frames * CD_RAW_FRAME_SIZE;
         buf = malloc( n );
         if( !buf )
@@ -556,6 +562,11 @@ static int process_commands( int socket )
         char *buf;
 
         sscanf(cmd,"%*s %d %d", &blocks, &flags);
+        if (blocks > INT_MAX / DVD_BLOCK_SIZE)
+        {
+          printf ("fatal error: integer overflow\n");
+          exit (1);
+        }
 
         n = blocks * DVD_BLOCK_SIZE;
         buf = malloc( n );
-- 
cgit v1.2.3