Overview

File sec-007-cve-2008-5240.diff of Package xine-lib

tree 06ac70e2544f
parent 7fb21abb15e5
author Matthias Hopf <mhopf@suse.de> 1231089706 0
committer Matthias Hopf <mhopf@suse.de> 1231089706 0
revision 9639
branch default

Fix for CVE-2008-5240
xine-lib 1.1.12, and other 1.1.15 and earlier versions, relies on an
untrusted input value to determine the memory allocation and does not
check the result for (1) the MATROSKA_ID_TR_CODECPRIVATE track entry
element processed by demux_matroska.c; and (2) PROP_TAG, (3) MDPR_TAG,
and (4) CONT_TAG chunks processed by the real_parse_headers function
in demux_real.c; which allows remote attackers to cause a denial of
service (NULL pointer dereference and crash) or possibly execute
arbitrary code via a crafted value.
diff --git a/src/demuxers/demux_real.c b/src/demuxers/demux_real.c
--- a/src/demuxers/demux_real.c
+++ b/src/demuxers/demux_real.c
@@ -435,9 +435,14 @@
     case MDPR_TAG:
     case CONT_TAG:
       {
+	if (chunk_size < PREAMBLE_SIZE+1) {
+	  this->status = DEMUX_FINISHED;
+	  return;
+	}
 	chunk_size -= PREAMBLE_SIZE;
 	uint8_t *const chunk_buffer = malloc(chunk_size);
-	if (this->input->read(this->input, chunk_buffer, chunk_size) !=
+	if (! chunk_buffer ||
+	    this->input->read(this->input, chunk_buffer, chunk_size) !=
 	    chunk_size) {
 	  free (chunk_buffer);
 	  this->status = DEMUX_FINISHED;
openSUSE Build Service is sponsored by
Places