diff -ur ../xine-lib-1.1.1.orig/src/input/mms.c ./src/input/mms.c --- ../xine-lib-1.1.1.orig/src/input/mms.c 2005-04-21 21:02:43.000000000 +0200 +++ ./src/input/mms.c 2006-07-06 20:41:18.000000000 +0200 @@ -138,7 +138,7 @@ int num_stream_ids; int stream_ids[ASF_MAX_NUM_STREAMS]; int stream_types[ASF_MAX_NUM_STREAMS]; - int asf_packet_len; + uint32_t asf_packet_len; uint64_t file_len; char guid[37]; uint32_t bitrates[ASF_MAX_NUM_STREAMS]; @@ -371,13 +371,17 @@ goto error; header->packet_len = LE_32(this->buf + 8) + 4; + if (header->packet_len > BUF_SIZE - 12) { + header->packet_len = 0; + goto error; + } lprintf("mms command\n"); packet_type = MMS_PACKET_COMMAND; } else { header->packet_seq = LE_32(this->buf); header->packet_id_type = this->buf[4]; header->flags = this->buf[5]; - header->packet_len = LE_16(this->buf + 6) - 8; + header->packet_len = (LE_16(this->buf + 6) - 8) & 0xffff; if (header->packet_id_type == ASF_HEADER_PACKET_ID_TYPE) { lprintf("asf header\n"); packet_type = MMS_PACKET_ASF_HEADER; @@ -497,6 +501,11 @@ break; case MMS_PACKET_ASF_HEADER: case MMS_PACKET_ASF_PACKET: + if (header.packet_len + this->asf_header_len > ASF_HEADER_LEN) { + xprintf (this->stream->xine, XINE_VERBOSITY_LOG, + "libmms: asf packet too large\n"); + return 0; + } len = _x_io_tcp_read (this->stream, this->s, this->asf_header + this->asf_header_len, header.packet_len); if (len != header.packet_len) { @@ -542,6 +551,12 @@ case GUID_ASF_FILE_PROPERTIES: this->asf_packet_len = LE_32(this->asf_header + i + 92 - 24); + if (this->asf_packet_len > BUF_SIZE) { + this->asf_packet_len = 0; + xprintf (this->stream->xine, XINE_VERBOSITY_LOG, + "libmms: asf packet len too large\n"); + break; + } this->file_len = LE_64(this->asf_header + i + 40 - 24); lprintf ("file object, file_length = %lld, packet length = %d", this->file_len, this->asf_packet_len); diff -ur ../xine-lib-1.1.1.orig/src/input/mmsh.c ./src/input/mmsh.c --- ../xine-lib-1.1.1.orig/src/input/mmsh.c 2005-08-25 17:36:29.000000000 +0200 +++ ./src/input/mmsh.c 2006-07-06 20:05:58.000000000 +0200 @@ -182,7 +182,7 @@ int num_stream_ids; int stream_ids[ASF_MAX_NUM_STREAMS]; int stream_types[ASF_MAX_NUM_STREAMS]; - int packet_length; + uint32_t packet_length; int64_t file_length; char guid[37]; uint32_t bitrates[ASF_MAX_NUM_STREAMS]; @@ -491,6 +491,10 @@ case GUID_ASF_FILE_PROPERTIES: this->packet_length = LE_32(this->asf_header + i + 92 - 24); + if (this->packet_length > CHUNK_SIZE) { + this->packet_length = 0; + break; + } this->file_length = LE_64(this->asf_header + i + 40 - 24); /*lprintf ("file object, file_length = %lld, packet length = %d", this->file_length, this->packet_count);*/