From 0c51806592bae19fbc4f1f6615e5b3f4cb8e7dc3 Mon Sep 17 00:00:00 2001 From: Matthias Hopf Date: Sun, 4 Jan 2009 17:21:46 +0000 Subject: Fix for CVE-2008-5239 xine-lib 1.1.12, and other 1.1.15 and earlier versions, does not properly handle (a) negative and (b) zero values during unspecified read function calls in input_file.c, input_net.c, input_smb.c, and input_http.c, which allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via vectors such as (1) a file or (2) an HTTP response, which triggers consequences such as out-of-bounds reads and heap-based buffer overflows. --- src/input/input_pvr.c | 6 ++++++ 1 file changed, 6 insertions(+) (limited to 'src/input/input_pvr.c') diff --git a/src/input/input_pvr.c b/src/input/input_pvr.c index 009c76939..18d29f6be 100644 --- a/src/input/input_pvr.c +++ b/src/input/input_pvr.c @@ -424,6 +424,9 @@ static uint32_t pvr_plugin_get_capabilities (input_plugin_t *this_gen) { static off_t pvr_plugin_read (input_plugin_t *this_gen, char *buf, off_t len) { /*pvr_input_plugin_t *this = (pvr_input_plugin_t *) this_gen;*/ + if (len < 4) + return -1; + /* FIXME: Tricking the demux_mpeg_block plugin */ buf[0] = 0; buf[1] = 0; @@ -1199,6 +1202,9 @@ static buf_element_t *pvr_plugin_read_block (input_plugin_t *this_gen, fifo_buff buf_element_t *buf; int speed = _x_get_speed(this->stream); + if (todo < 0 || todo > buf->size) + return NULL; + if( !this->pvr_running ) { xprintf(this->stream->xine, XINE_VERBOSITY_DEBUG, "input_pvr: thread died, aborting\n"); return NULL; -- cgit v1.2.3