From 642887b80beb1f9404f32e68c1f63a11b703841e Mon Sep 17 00:00:00 2001 From: Thomas Viehmann Date: Thu, 1 Jan 2009 01:45:15 +0100 Subject: check for negative/too large return values of get_size when demuxing mod streams get_size might return -1 (e.g. for streams whose size is unknown), but demux_mod is not able to handle this. This is particularly bad because it is later assigned to unsigned types (demux_mod_t.filesize is size_t). Based on a patch by Matthias Hopf . --- src/demuxers/demux_mod.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) (limited to 'src') diff --git a/src/demuxers/demux_mod.c b/src/demuxers/demux_mod.c index bffcf36d8..073927707 100644 --- a/src/demuxers/demux_mod.c +++ b/src/demuxers/demux_mod.c @@ -130,9 +130,16 @@ static int probe_mod_file(demux_mod_t *this) { /* returns 1 if the MOD file was opened successfully, 0 otherwise */ static int open_mod_file(demux_mod_t *this) { int total_read; + off_t input_length; /* Get size and create buffer */ - this->filesize = this->input->get_length(this->input); + input_length = this->input->get_length(this->input); + /* Avoid potential issues with signed variables and e.g. read() returning -1 */ + if (input_length > 0x7FFFFFFF || input_length < 0) { + xine_log(this->stream->xine, XINE_LOG_PLUGIN, "modplug - size overflow\n"); + return 0; + } + this->filesize = input_length; this->buffer = (char *)malloc(this->filesize); if(!this->buffer) { xine_log(this->stream->xine, XINE_LOG_PLUGIN, "modplug - allocation failure\n"); -- cgit v1.2.3