Sophie

Sophie

distrib > Mandriva > 2006.0 > x86_64 > by-pkgid > 6d6ae291399997bd01292a445f799964 > files > 8

xine-lib-1.1.0-9.7.20060mdk.src.rpm

diff -ur ../xine-lib-1.1.1.orig/src/input/mms.c ./src/input/mms.c
--- ../xine-lib-1.1.1.orig/src/input/mms.c	2005-04-21 21:02:43.000000000 +0200
+++ ./src/input/mms.c	2006-07-06 20:41:18.000000000 +0200
@@ -138,7 +138,7 @@
   int           num_stream_ids;
   int           stream_ids[ASF_MAX_NUM_STREAMS];
   int           stream_types[ASF_MAX_NUM_STREAMS];
-  int           asf_packet_len;
+  uint32_t      asf_packet_len;
   uint64_t      file_len;
   char          guid[37];
   uint32_t      bitrates[ASF_MAX_NUM_STREAMS];
@@ -371,13 +371,17 @@
       goto error;
     
     header->packet_len = LE_32(this->buf + 8) + 4;
+    if (header->packet_len > BUF_SIZE - 12) {
+      header->packet_len = 0;
+      goto error;
+    }
     lprintf("mms command\n");
     packet_type = MMS_PACKET_COMMAND;
   } else {
     header->packet_seq     = LE_32(this->buf);
     header->packet_id_type = this->buf[4];
     header->flags          = this->buf[5];
-    header->packet_len     = LE_16(this->buf + 6) - 8;
+    header->packet_len     = (LE_16(this->buf + 6) - 8) & 0xffff;
     if (header->packet_id_type == ASF_HEADER_PACKET_ID_TYPE) {
       lprintf("asf header\n");
       packet_type = MMS_PACKET_ASF_HEADER;
@@ -497,6 +501,11 @@
         break;
       case MMS_PACKET_ASF_HEADER:
       case MMS_PACKET_ASF_PACKET:
+	if (header.packet_len + this->asf_header_len > ASF_HEADER_LEN) {
+	    xprintf (this->stream->xine, XINE_VERBOSITY_LOG,
+		     "libmms: asf packet too large\n");
+	    return 0;
+	}
         len = _x_io_tcp_read (this->stream, this->s,
                               this->asf_header + this->asf_header_len, header.packet_len);
         if (len != header.packet_len) {
@@ -542,6 +551,12 @@
       case GUID_ASF_FILE_PROPERTIES:
 
         this->asf_packet_len = LE_32(this->asf_header + i + 92 - 24);
+        if (this->asf_packet_len > BUF_SIZE) {
+          this->asf_packet_len = 0;
+	  xprintf (this->stream->xine, XINE_VERBOSITY_LOG,
+		   "libmms: asf packet len too large\n");
+	  break;
+        }
         this->file_len       = LE_64(this->asf_header + i + 40 - 24);
         lprintf ("file object, file_length = %lld, packet length = %d",
 		 this->file_len, this->asf_packet_len);
diff -ur ../xine-lib-1.1.1.orig/src/input/mmsh.c ./src/input/mmsh.c
--- ../xine-lib-1.1.1.orig/src/input/mmsh.c	2005-08-25 17:36:29.000000000 +0200
+++ ./src/input/mmsh.c	2006-07-06 20:05:58.000000000 +0200
@@ -182,7 +182,7 @@
   int           num_stream_ids;
   int           stream_ids[ASF_MAX_NUM_STREAMS];
   int           stream_types[ASF_MAX_NUM_STREAMS];
-  int           packet_length;
+  uint32_t      packet_length;
   int64_t       file_length;
   char          guid[37];
   uint32_t      bitrates[ASF_MAX_NUM_STREAMS];
@@ -491,6 +491,10 @@
       case GUID_ASF_FILE_PROPERTIES:
 
         this->packet_length = LE_32(this->asf_header + i + 92 - 24);
+	if (this->packet_length > CHUNK_SIZE) {
+	  this->packet_length = 0;
+	  break;
+	}
         this->file_length   = LE_64(this->asf_header + i + 40 - 24);
         /*lprintf ("file object, file_length = %lld, packet length = %d",
 		 this->file_length, this->packet_count);*/

Perl :: Catalyst :: PostgreSQL :: RPM Valid HTML 4.01 Transitional