Overview

File sec-005-cve-2008-5237.diff of Package xine-lib

tree 6f52eb5e3820
parent e38bb4b22431
author Matthias Hopf <mhopf@suse.de> 1231089706 0
committer Matthias Hopf <mhopf@suse.de> 1231089706 0
revision 9637
branch default

Fix for CVE-2008-5237
Multiple integer overflows in xine-lib 1.1.12, and other 1.1.15 and
earlier versions, allow remote attackers to cause a denial of service
(crash) or possibly execute arbitrary code via (1) crafted width and
height values that are not validated by the mymng_process_header
function in demux_mng.c before use in an allocation calculation or (2)
crafted current_atom_size and string_size values processed by the
parse_reference_atom function in demux_qt.c.
diff --git a/src/demuxers/demux_mng.c b/src/demuxers/demux_mng.c
--- a/src/demuxers/demux_mng.c
+++ b/src/demuxers/demux_mng.c
@@ -111,6 +111,9 @@
 
 static mng_bool mymng_process_header(mng_handle mngh, mng_uint32 width, mng_uint32 height){
   demux_mng_t *this = (demux_mng_t*)mng_get_userdata(mngh);
+
+  if (width > 0x8000 || height > 0x8000)
+      return MNG_FALSE;
 
   this->bih.biWidth = (width + 7) & ~7;
   this->bih.biHeight = height;
diff --git a/src/demuxers/demux_qt.c b/src/demuxers/demux_qt.c
--- a/src/demuxers/demux_qt.c
+++ b/src/demuxers/demux_qt.c
@@ -1597,13 +1597,16 @@
   qt_atom current_atom;
   unsigned int current_atom_size;
 
+  if (ref_atom_size >= 0x80000000)
+    return QT_NOT_A_VALID_FILE;
+
   /* initialize reference atom */
   ref->url = NULL;
   ref->data_rate = 0;
   ref->qtim_version = 0;
 
   /* traverse through the atom looking for the key atoms */
-  for (i = ATOM_PREAMBLE_SIZE; i < ref_atom_size - 4; i++) {
+  for (i = ATOM_PREAMBLE_SIZE; i + 4 < ref_atom_size; i++) {
 
     current_atom_size = _X_BE_32(&ref_atom[i - 4]);
     current_atom = _X_BE_32(&ref_atom[i]);
@@ -1612,7 +1615,7 @@
       size_t string_size = _X_BE_32(&ref_atom[i + 12]);
       size_t url_offset = 0;
 
-      if (string_size >= current_atom_size || i + string_size >= ref_atom_size)
+      if (string_size >= current_atom_size || string_size >= ref_atom_size - i)
         return QT_NOT_A_VALID_FILE;
 
       /* if the URL starts with "http://", copy it */
@@ -1620,6 +1623,8 @@
 	   memcmp(&ref_atom[i + 16], "rtsp://", 7) &&
 	   base_mrl )
 	url_offset = strlen(base_mrl);
+      if (url_offset >= 0x80000000)
+        return QT_NOT_A_VALID_FILE;
 
       /* otherwise, append relative URL to base MRL */
       string_size += url_offset;
openSUSE Build Service is sponsored by
Places