From 3a3fa364d3380c95f453f8f225a601279d8ed056 Mon Sep 17 00:00:00 2001 From: Darren Salt Date: Wed, 23 Jan 2008 19:40:16 +0000 Subject: Sanity-check ASF header sizes. This fixes a crash in the ASF demuxer, caused by the example exploit file given for CVE-2006-1664. --- src/demuxers/demux_asf.c | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-) (limited to 'src') diff --git a/src/demuxers/demux_asf.c b/src/demuxers/demux_asf.c index c4a154f99..4eb9398be 100644 --- a/src/demuxers/demux_asf.c +++ b/src/demuxers/demux_asf.c @@ -379,10 +379,21 @@ static int asf_read_header (demux_asf_t *this) { char *asf_header_buffer = NULL; asf_header_len = get_le64(this); - asf_header_buffer = alloca(asf_header_len); + if (asf_header_len > 4 * 1024 * 1024) + { + xprintf(this->stream->xine, XINE_VERBOSITY_DEBUG, + "demux_asf: asf_read_header: overly-large header? (%"PRIu64" bytes)\n", + asf_header_len); + return 0; + } + + asf_header_buffer = malloc (asf_header_len); if (this->input->read (this->input, asf_header_buffer, asf_header_len) != asf_header_len) + { + free (asf_header_buffer); return 0; + } /* delete previous header */ if (this->asf_header) { @@ -395,7 +406,11 @@ static int asf_read_header (demux_asf_t *this) { */ this->asf_header = asf_header_new(asf_header_buffer, asf_header_len); if (!this->asf_header) + { + free (asf_header_buffer); return 0; + } + free (asf_header_buffer); lprintf("asf header parsing ok\n"); -- cgit v1.2.3 From a6e720ee0284c0c9ec6eb5894ab8e87ee1e53f09 Mon Sep 17 00:00:00 2001 From: Thibaut Mattern Date: Thu, 24 Jan 2008 19:28:43 +0100 Subject: Don't discard audio samples forever. Fixed streaming playback --- src/xine-engine/audio_out.c | 1 + 1 file changed, 1 insertion(+) (limited to 'src') diff --git a/src/xine-engine/audio_out.c b/src/xine-engine/audio_out.c index 7fe92d9fe..e9bda70fb 100644 --- a/src/xine-engine/audio_out.c +++ b/src/xine-engine/audio_out.c @@ -1619,6 +1619,7 @@ static void ao_close(xine_audio_port_t *this_gen, xine_stream_t *stream) { } /* make sure there are no more buffers on queue */ fifo_wait_empty(this->out_fifo); + ao_set_property(this_gen, AO_PROP_DISCARD_BUFFERS, 0); } pthread_mutex_lock( &this->driver_lock ); -- cgit v1.2.3 From b24d41f54d441f518c68c120b8ee1a2673bfbe0d Mon Sep 17 00:00:00 2001 From: Darren Salt Date: Thu, 24 Jan 2008 23:38:09 +0000 Subject: Only restore the audio buffer discard setting if it was altered. (Cset 1a0447486a13 broke things differently.) --- src/xine-engine/audio_out.c | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) (limited to 'src') diff --git a/src/xine-engine/audio_out.c b/src/xine-engine/audio_out.c index e9bda70fb..4dcdb5af0 100644 --- a/src/xine-engine/audio_out.c +++ b/src/xine-engine/audio_out.c @@ -287,6 +287,7 @@ struct audio_fifo_s { int num_buffers; }; +static int ao_get_property (xine_audio_port_t *this_gen, int property); static int ao_set_property (xine_audio_port_t *this_gen, int property, int value); static audio_fifo_t *fifo_new (xine_t *xine) { @@ -1612,14 +1613,17 @@ static void ao_close(xine_audio_port_t *this_gen, xine_stream_t *stream) { xprintf (this->xine, XINE_VERBOSITY_DEBUG, "audio_out: no streams left, closing driver\n"); if (this->audio_loop_running) { + /* make sure there are no more buffers on queue */ if (this->clock->speed == XINE_SPEED_PAUSE || (this->clock->speed != XINE_FINE_SPEED_NORMAL && !this->slow_fast_audio)) { - /* discard buffers, otherwise we'll wait forever */ + int discard = ao_get_property(this_gen, AO_PROP_DISCARD_BUFFERS); + /* discard buffers while waiting, otherwise we'll wait forever */ ao_set_property(this_gen, AO_PROP_DISCARD_BUFFERS, 1); + fifo_wait_empty(this->out_fifo); + ao_set_property(this_gen, AO_PROP_DISCARD_BUFFERS, discard); } - /* make sure there are no more buffers on queue */ - fifo_wait_empty(this->out_fifo); - ao_set_property(this_gen, AO_PROP_DISCARD_BUFFERS, 0); + else + fifo_wait_empty(this->out_fifo); } pthread_mutex_lock( &this->driver_lock ); -- cgit v1.2.3 From 6c456a0d597c2a96aadee33c7af5845de279e478 Mon Sep 17 00:00:00 2001 From: Darren Salt Date: Thu, 24 Jan 2008 23:47:36 +0000 Subject: Fix a possible crash on channel change in the DVB plugin. Some 0-sized sections were observed in the TS PMT parser. Test setup details: Test channel is Film 4 on Freeview. Test hardware is a Nova-T Stick (older dib7000m variant). Drivers from v4l-dvb hg, id a1c94c4a05f5, with dib7000m_set_frontend() patched to select OUTMODE_HIGH_Z while tuning. --- src/demuxers/demux_ts.c | 9 +++++++++ 1 file changed, 9 insertions(+) (limited to 'src') diff --git a/src/demuxers/demux_ts.c b/src/demuxers/demux_ts.c index 86a14f019..0fa0c971c 100644 --- a/src/demuxers/demux_ts.c +++ b/src/demuxers/demux_ts.c @@ -1193,6 +1193,15 @@ printf("Program Number is %i, looking for %i\n",program_number,this->program_num return; } + if (!section_length) { + free (this->pmt[program_count]); + this->pmt[program_count] = NULL; +#ifdef TS_PMT_LOG + printf ("ts_demux: eek, zero-length section?\n"); +#endif + return; + } + #ifdef TS_PMT_LOG printf ("ts_demux: have all TS packets for the PMT section\n"); #endif -- cgit v1.2.3