From 49d4eec32b8c05eadfaf9c42b3dcd7407815fd9a Mon Sep 17 00:00:00 2001
From: Matthias Hopf <mhopf@suse.de>
Date: Sun, 4 Jan 2009 17:21:46 +0000
Subject: Fix for CVE-2008-5237 Multiple integer overflows in xine-lib 1.1.12,
 and other 1.1.15 and earlier versions, allow remote attackers to cause a
 denial of service (crash) or possibly execute arbitrary code via (1) crafted
 width and height values that are not validated by the mymng_process_header
 function in demux_mng.c before use in an allocation calculation or (2)
 crafted current_atom_size and string_size values processed by the
 parse_reference_atom function in demux_qt.c.

---
 src/demuxers/demux_mng.c | 3 +++
 1 file changed, 3 insertions(+)

(limited to 'src/demuxers/demux_mng.c')

diff --git a/src/demuxers/demux_mng.c b/src/demuxers/demux_mng.c
index 0fcdb24ff..b57a349c5 100644
--- a/src/demuxers/demux_mng.c
+++ b/src/demuxers/demux_mng.c
@@ -112,6 +112,9 @@ static mng_bool mymng_read_stream(mng_handle mngh, mng_ptr buffer, mng_uint32 si
 static mng_bool mymng_process_header(mng_handle mngh, mng_uint32 width, mng_uint32 height){
   demux_mng_t *this = (demux_mng_t*)mng_get_userdata(mngh);
 
+  if (width > 0x8000 || height > 0x8000)
+      return MNG_FALSE;
+
   this->bih.biWidth = (width + 7) & ~7;
   this->bih.biHeight = height;
   this->left_edge = (this->bih.biWidth - width) / 2;
-- 
cgit v1.2.3