# HG changeset patch
# User Darren Salt <linux@youmustbejoking.demon.co.uk>
# Date 1201117216 0
# Node ID fb6d089b520dca199ef16a046da28c50c984c2d2
# Parent 461fae9b8fcaa64866bbee23d2e8aa006dd84a8d
Sanity-check ASF header sizes.
This fixes a crash in the ASF demuxer, caused by the example exploit file given
for CVE-2006-1664.

--- a/src/demuxers/demux_asf.c	Wed Jan 23 18:29:51 2008 +0000
+++ b/src/demuxers/demux_asf.c	Wed Jan 23 19:40:16 2008 +0000
@@ -379,10 +379,21 @@ static int asf_read_header (demux_asf_t 
   char *asf_header_buffer = NULL;
 
   asf_header_len = get_le64(this);
-  asf_header_buffer = alloca(asf_header_len);
+  if (asf_header_len > 4 * 1024 * 1024)
+  {
+    xprintf(this->stream->xine, XINE_VERBOSITY_DEBUG, 
+	    "demux_asf: asf_read_header: overly-large header? (%"PRIu64" bytes)\n",
+	    asf_header_len);
+    return 0;
+  }
+
+  asf_header_buffer = malloc (asf_header_len);
 
   if (this->input->read (this->input, asf_header_buffer, asf_header_len) != asf_header_len)
+  {
+    free (asf_header_buffer);
     return 0;
+  }
 
   /* delete previous header */
   if (this->asf_header) {
@@ -395,7 +406,11 @@ static int asf_read_header (demux_asf_t 
    */
   this->asf_header = asf_header_new(asf_header_buffer, asf_header_len);
   if (!this->asf_header)
+  {
+    free (asf_header_buffer);
     return 0;
+  }
+  free (asf_header_buffer);
 
   lprintf("asf header parsing ok\n");