# HG changeset patch # User Darren Salt <linux@youmustbejoking.demon.co.uk> # Date 1201117216 0 # Node ID fb6d089b520dca199ef16a046da28c50c984c2d2 # Parent 461fae9b8fcaa64866bbee23d2e8aa006dd84a8d Sanity-check ASF header sizes. This fixes a crash in the ASF demuxer, caused by the example exploit file given for CVE-2006-1664. --- a/src/demuxers/demux_asf.c Wed Jan 23 18:29:51 2008 +0000 +++ b/src/demuxers/demux_asf.c Wed Jan 23 19:40:16 2008 +0000 @@ -379,10 +379,21 @@ static int asf_read_header (demux_asf_t char *asf_header_buffer = NULL; asf_header_len = get_le64(this); - asf_header_buffer = alloca(asf_header_len); + if (asf_header_len > 4 * 1024 * 1024) + { + xprintf(this->stream->xine, XINE_VERBOSITY_DEBUG, + "demux_asf: asf_read_header: overly-large header? (%"PRIu64" bytes)\n", + asf_header_len); + return 0; + } + + asf_header_buffer = malloc (asf_header_len); if (this->input->read (this->input, asf_header_buffer, asf_header_len) != asf_header_len) + { + free (asf_header_buffer); return 0; + } /* delete previous header */ if (this->asf_header) { @@ -395,7 +406,11 @@ static int asf_read_header (demux_asf_t */ this->asf_header = asf_header_new(asf_header_buffer, asf_header_len); if (!this->asf_header) + { + free (asf_header_buffer); return 0; + } + free (asf_header_buffer); lprintf("asf header parsing ok\n");