Overview

File sec-008-cve-2008-5243.diff of Package xine-lib

tree e22bf32c3dc0
parent 01753933e664
author Matthias Hopf <mhopf@suse.de> 1231089706 0
committer Matthias Hopf <mhopf@suse.de> 1231089706 0
revision 9640
branch default

Fix for CVE-2008-5243.
The real_parse_headers function in demux_real.c in xine-lib 1.1.12,
and other 1.1.15 and earlier versions, relies on an untrusted input
length value to "reindex into an allocated buffer," which allows
remote attackers to cause a denial of service (crash) via a crafted
value, probably an array index error.
diff --git a/src/demuxers/demux_real.c b/src/demuxers/demux_real.c
--- a/src/demuxers/demux_real.c
+++ b/src/demuxers/demux_real.c
@@ -497,7 +497,8 @@
 	    this->audio_streams[this->num_audio_streams].index = NULL;
 	    this->audio_streams[this->num_audio_streams].mdpr = mdpr;
 	    this->num_audio_streams++;
-	  } else if(_X_BE_32(mdpr->type_specific_data) == RA_TAG) {
+	  } else if(_X_BE_32(mdpr->type_specific_data) == RA_TAG &&
+		    mdpr->type_specific_len >= 6) {
 	    if(this->num_audio_streams == MAX_AUDIO_STREAMS) {
 	      xprintf(this->stream->xine, XINE_VERBOSITY_DEBUG,
 		      "demux_real: maximum number of audio stream exceeded\n");
@@ -508,26 +509,30 @@
 
 	    lprintf("audio version %d detected\n", version);
 
-	    char *fourcc_ptr = NULL;
+	    char *fourcc_ptr = "\0\0\0";
 	    switch(version) {
             case 3:
               /* Version 3 header stores fourcc after meta info - cheat by reading backwards from the 
                * end of the header instead of having to parse it all */
-              fourcc_ptr = mdpr->type_specific_data + mdpr->type_specific_len - 5;
+	      if (mdpr->type_specific_len >= 5)
+                fourcc_ptr = mdpr->type_specific_data + mdpr->type_specific_len - 5;
               break;
 	    case 4: {
-	      const uint8_t len = *(mdpr->type_specific_data + 56);
-	      fourcc_ptr = mdpr->type_specific_data + 58 + len;
+	      if (mdpr->type_specific_len >= 57) {
+	        const uint8_t len = *(mdpr->type_specific_data + 56);
+	        if (mdpr->type_specific_len >= 62 + len)
+	          fourcc_ptr = mdpr->type_specific_data + 58 + len;
+	      }
 	    }
               break;
             case 5:
-              fourcc_ptr = mdpr->type_specific_data + 66;
+	      if (mdpr->type_specific_len >= 70)
+                fourcc_ptr = mdpr->type_specific_data + 66;
               break;
             default:
               lprintf("unsupported audio header version %d\n", version);
               goto unknown;
 	    }
-
 	    lprintf("fourcc = %.4s\n", fourcc_ptr);
 
 	    const uint32_t fourcc = _X_ME_32(fourcc_ptr);
openSUSE Build Service is sponsored by
Places