From 0c51806592bae19fbc4f1f6615e5b3f4cb8e7dc3 Mon Sep 17 00:00:00 2001
From: Matthias Hopf <mhopf@suse.de>
Date: Sun, 4 Jan 2009 17:21:46 +0000
Subject: Fix for CVE-2008-5239 xine-lib 1.1.12, and other 1.1.15 and earlier
 versions, does not properly handle (a) negative and (b) zero values during
 unspecified read function calls in input_file.c, input_net.c, input_smb.c,
 and input_http.c, which allows remote attackers to cause a denial of service
 (crash) or possibly execute arbitrary code via vectors such as (1) a file or
 (2) an HTTP response, which triggers consequences such as out-of-bounds reads
 and heap-based buffer overflows.

---
 src/input/input_http.c | 15 ++++++++++++---
 1 file changed, 12 insertions(+), 3 deletions(-)

(limited to 'src/input/input_http.c')

diff --git a/src/input/input_http.c b/src/input/input_http.c
index 169a0d384..3cb745656 100644
--- a/src/input/input_http.c
+++ b/src/input/input_http.c
@@ -421,6 +421,9 @@ static off_t http_plugin_read (input_plugin_t *this_gen,
 
   num_bytes = 0;
 
+  if (nlen < 0)
+    return -1;
+
   if (this->curpos < this->preview_size) {
 
     if (nlen > (this->preview_size - this->curpos))
@@ -437,7 +440,7 @@ static off_t http_plugin_read (input_plugin_t *this_gen,
 
   n = nlen - num_bytes;
 
-  if (n) {
+  if (n > 0) {
     int read_bytes;
     read_bytes = http_plugin_read_int (this, &buf[num_bytes], n);
     
@@ -503,6 +506,11 @@ static buf_element_t *http_plugin_read_block (input_plugin_t *this_gen, fifo_buf
   off_t                 total_bytes;
   buf_element_t        *buf = fifo->buffer_pool_alloc (fifo);
 
+  if (todo < 0 || todo > buf->size) {
+    buf->free_buffer (buf);
+    return NULL;
+  }
+
   buf->content = buf->mem;
   buf->type = BUF_DEMUX_BLOCK;
 
@@ -554,7 +562,7 @@ static off_t http_plugin_seek(input_plugin_t *this_gen, off_t offset, int origin
   if ((origin == SEEK_CUR) && (offset >= 0)) {
 
     for (;((int)offset) - BUFSIZE > 0; offset -= BUFSIZE) {
-      if( !this_gen->read (this_gen, this->seek_buf, BUFSIZE) )
+      if( this_gen->read (this_gen, this->seek_buf, BUFSIZE) <= 0 )
         return this->curpos;
     }
 
@@ -576,7 +584,7 @@ static off_t http_plugin_seek(input_plugin_t *this_gen, off_t offset, int origin
       offset -= this->curpos;
 
       for (;((int)offset) - BUFSIZE > 0; offset -= BUFSIZE) {
-        if( !this_gen->read (this_gen, this->seek_buf, BUFSIZE) )
+        if( this_gen->read (this_gen, this->seek_buf, BUFSIZE) <= 0 )
           return this->curpos;
       }
 
@@ -996,6 +1004,7 @@ static int http_plugin_open (input_plugin_t *this_gen ) {
     this->preview_size = http_plugin_read_int (this, this->preview, MAX_PREVIEW_SIZE);
   }
   if (this->preview_size < 0) {
+    this->preview_size = 0;
     xine_log (this->stream->xine, XINE_LOG_MSG, _("input_http: read error %d\n"), errno);
     return -12;
   }
-- 
cgit v1.2.3