From 5feca7a3847d4035b9d4116ceb5ffd24d5ae07b8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Diego=20=27Flameeyes=27=20Petten=C3=B2?= Date: Tue, 11 Mar 2008 15:30:36 +0100 Subject: Use calloc() to avoid possible integer overflow if stream_count is big enough. --HG-- extra : transplant_source : %90%CC%97%8Fk%C1%FD%9C%A4%FB%0C%9E%07%F5A%B8%29o%EEo --- src/input/libreal/sdpplin.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'src/input') diff --git a/src/input/libreal/sdpplin.c b/src/input/libreal/sdpplin.c index c62b6bbc1..5b22e9044 100644 --- a/src/input/libreal/sdpplin.c +++ b/src/input/libreal/sdpplin.c @@ -199,7 +199,7 @@ static sdpplin_stream_t *sdpplin_parse_stream(char **data) { if(filter(*data,"a=OpaqueData:buffer;",&buf)) { decoded = b64_decode(buf, decoded, &(desc->mlti_data_size)); if ( decoded != NULL ) { - desc->mlti_data = malloc(sizeof(char)*desc->mlti_data_size); + desc->mlti_data = calloc(desc->mlti_data_size, sizeof(char)); memcpy(desc->mlti_data, decoded, desc->mlti_data_size); handled=1; *data=nl(*data); @@ -294,7 +294,7 @@ sdpplin_t *sdpplin_parse(char *data) { if(filter(data,"a=StreamCount:integer;",&buf)) { desc->stream_count=atoi(buf); - desc->stream = malloc(sizeof(sdpplin_stream_t*)*desc->stream_count); + desc->stream = calloc(desc->stream_count, sizeof(sdpplin_stream_t*)); handled=1; data=nl(data); } -- cgit v1.2.3 From 431033df2571df5bdd1ec1253cf04921b6d01368 Mon Sep 17 00:00:00 2001 From: Bastian Blank Date: Sun, 2 Mar 2008 22:48:39 +0000 Subject: libdvdread - Uses UDF provided length as authoritative libdvdread uses the file length provided by the UDF fs of the title set IFO files authoritative. I got a DVD which have parts of this file mapped outside of the provided file size and according to my memory only the offsets in the files matters in the standard. This patch adjusts the internal knowledge of the filesize accordingly and at least allows mplayer to play the dvd. (Imported from Debian libdvdread 0.9.7-8) --- src/input/libdvdnav/dvd_reader.c | 24 +++++++++++++++++++++++- src/input/libdvdnav/dvd_reader.h | 2 ++ src/input/libdvdnav/ifo_read.c | 6 +++++- 3 files changed, 30 insertions(+), 2 deletions(-) (limited to 'src/input') diff --git a/src/input/libdvdnav/dvd_reader.c b/src/input/libdvdnav/dvd_reader.c index 200a1dbec..eff1977fc 100644 --- a/src/input/libdvdnav/dvd_reader.c +++ b/src/input/libdvdnav/dvd_reader.c @@ -1037,6 +1037,28 @@ int32_t DVDFileSeek( dvd_file_t *dvd_file, int32_t offset ) return offset; } +int32_t DVDFileSeekForce( dvd_file_t *dvd_file, int offset, int force_size ) +{ + /* Check arguments. */ + if( dvd_file == NULL || offset < 0 ) + return -1; + + if( dvd_file->dvd->isImageFile ) { + if( force_size < 0 ) + force_size = (offset - 1) / DVD_VIDEO_LB_LEN + 1; + if( dvd_file->filesize < force_size) { + dvd_file->filesize = force_size; + fprintf(stderr, "libdvdread: Ignored UDF provided size of file.\n"); + } + } + + if( offset > dvd_file->filesize * DVD_VIDEO_LB_LEN ) { + return -1; + } + dvd_file->seek_pos = (uint32_t) offset; + return offset; +} + ssize_t DVDReadBytes( dvd_file_t *dvd_file, void *data, size_t byte_size ) { unsigned char *secbuf_base, *secbuf; @@ -1077,7 +1099,7 @@ ssize_t DVDReadBytes( dvd_file_t *dvd_file, void *data, size_t byte_size ) memcpy( data, &(secbuf[ seek_byte ]), byte_size ); free( secbuf_base ); - dvd_file->seek_pos += byte_size; + DVDFileSeekForce(dvd_file, dvd_file->seek_pos + byte_size, -1); return byte_size; } diff --git a/src/input/libdvdnav/dvd_reader.h b/src/input/libdvdnav/dvd_reader.h index bb3f5053b..e1b051c00 100644 --- a/src/input/libdvdnav/dvd_reader.h +++ b/src/input/libdvdnav/dvd_reader.h @@ -171,6 +171,8 @@ ssize_t DVDReadBlocks( dvd_file_t *, int, size_t, unsigned char * ); */ int32_t DVDFileSeek( dvd_file_t *, int32_t ); +int32_t DVDFileSeekForce( dvd_file_t *, int, int ); + /** * Reads the given number of bytes from the file. This call can only be used * on the information files, and may not be used for reading from a VOB. This diff --git a/src/input/libdvdnav/ifo_read.c b/src/input/libdvdnav/ifo_read.c index 8f47d2a54..bc1ba580b 100644 --- a/src/input/libdvdnav/ifo_read.c +++ b/src/input/libdvdnav/ifo_read.c @@ -93,6 +93,10 @@ static inline int DVDFileSeek_( dvd_file_t *dvd_file, uint32_t offset ) { return (DVDFileSeek(dvd_file, (int)offset) == (int)offset); } +static inline int32_t DVDFileSeekForce_( dvd_file_t *dvd_file, uint32_t offset, int force_size ) { + return (DVDFileSeekForce(dvd_file, (int)offset, force_size) == (int)offset); +} + ifo_handle_t *ifoOpen(dvd_reader_t *dvd, int title) { ifo_handle_t *ifofile; @@ -1507,7 +1511,7 @@ static int ifoRead_VOBU_ADMAP_internal(ifo_handle_t *ifofile, unsigned int i; int info_length; - if(!DVDFileSeek_(ifofile->file, sector * DVD_BLOCK_LEN)) + if(!DVDFileSeekForce_(ifofile->file, sector * DVD_BLOCK_LEN, sector)) return 0; if(!(DVDReadBytes(ifofile->file, vobu_admap, VOBU_ADMAP_SIZE))) -- cgit v1.2.3 From d60523d37375659965650be4c695b3d439ded174 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Diego=20=27Flameeyes=27=20Petten=C3=B2?= Date: Tue, 11 Mar 2008 15:24:55 +0100 Subject: Fix Array Indexing Vulnerability in sdpplin_parse(). (CVE-2008-0073). Thanks to Alin Rad Pop, Secunia Research. --- src/input/libreal/sdpplin.c | 23 ++++++++++++++++++++--- src/input/libreal/sdpplin.h | 4 ++-- 2 files changed, 22 insertions(+), 5 deletions(-) (limited to 'src/input') diff --git a/src/input/libreal/sdpplin.c b/src/input/libreal/sdpplin.c index 5b22e9044..04554c45e 100644 --- a/src/input/libreal/sdpplin.c +++ b/src/input/libreal/sdpplin.c @@ -143,7 +143,14 @@ static sdpplin_stream_t *sdpplin_parse_stream(char **data) { handled=0; if(filter(*data,"a=control:streamid=",&buf)) { - desc->stream_id=atoi(buf); + /* This way negative values are mapped to unfeasibly high + * values, and will be discarded afterward + */ + unsigned long tmp = strtoul(buf, NULL, 10); + if ( tmp > UINT16_MAX ) + lprintf("stream id out of bound: %lu\n", tmp); + else + desc->stream_id=tmp; handled=1; *data=nl(*data); } @@ -252,7 +259,10 @@ sdpplin_t *sdpplin_parse(char *data) { } stream=sdpplin_parse_stream(&data); lprintf("got data for stream id %u\n", stream->stream_id); - desc->stream[stream->stream_id]=stream; + if ( stream->stream_id >= desc->stream_count ) + lprintf("stream id %u is greater than stream count %u\n", stream->stream_id, desc->stream_count); + else + desc->stream[stream->stream_id]=stream; continue; } @@ -293,7 +303,14 @@ sdpplin_t *sdpplin_parse(char *data) { } if(filter(data,"a=StreamCount:integer;",&buf)) { - desc->stream_count=atoi(buf); + /* This way negative values are mapped to unfeasibly high + * values, and will be discarded afterward + */ + unsigned long tmp = strtoul(buf, NULL, 10); + if ( tmp > UINT16_MAX ) + lprintf("stream count out of bound: %lu\n", tmp); + else + desc->stream_count = tmp; desc->stream = calloc(desc->stream_count, sizeof(sdpplin_stream_t*)); handled=1; data=nl(data); diff --git a/src/input/libreal/sdpplin.h b/src/input/libreal/sdpplin.h index cb3b434d4..72cbaf731 100644 --- a/src/input/libreal/sdpplin.h +++ b/src/input/libreal/sdpplin.h @@ -37,7 +37,7 @@ typedef struct { char *id; char *bandwidth; - int stream_id; + uint16_t stream_id; char *range; char *length; char *rtpmap; @@ -81,7 +81,7 @@ typedef struct { int flags; int is_real_data_type; - int stream_count; + uint16_t stream_count; char *title; char *author; char *copyright; -- cgit v1.2.3