changeset: 9638:4982c9920f42
user: Matthias Hopf <mhopf@suse.de>
date: Sun Jan 04 17:21:46 2009 +0000
summary: Fix for CVE-2008-5243.
diff -r 01753933e664 -r 4982c9920f42 src/demuxers/demux_real.c
--- a/src/demuxers/demux_real.c Sun Jan 04 17:21:46 2009 +0000
+++ b/src/demuxers/demux_real.c Sun Jan 04 17:21:46 2009 +0000
@@ -497,7 +497,8 @@
this->audio_streams[this->num_audio_streams].index = NULL;
this->audio_streams[this->num_audio_streams].mdpr = mdpr;
this->num_audio_streams++;
- } else if(_X_BE_32(mdpr->type_specific_data) == RA_TAG) {
+ } else if(_X_BE_32(mdpr->type_specific_data) == RA_TAG &&
+ mdpr->type_specific_len >= 6) {
if(this->num_audio_streams == MAX_AUDIO_STREAMS) {
xprintf(this->stream->xine, XINE_VERBOSITY_DEBUG,
"demux_real: maximum number of audio stream exceeded\n");
@@ -508,26 +509,30 @@
lprintf("audio version %d detected\n", version);
- char *fourcc_ptr = NULL;
+ char *fourcc_ptr = "\0\0\0";
switch(version) {
case 3:
/* Version 3 header stores fourcc after meta info - cheat by reading backwards from the
* end of the header instead of having to parse it all */
- fourcc_ptr = mdpr->type_specific_data + mdpr->type_specific_len - 5;
+ if (mdpr->type_specific_len >= 5)
+ fourcc_ptr = mdpr->type_specific_data + mdpr->type_specific_len - 5;
break;
case 4: {
- const uint8_t len = *(mdpr->type_specific_data + 56);
- fourcc_ptr = mdpr->type_specific_data + 58 + len;
+ if (mdpr->type_specific_len >= 57) {
+ const uint8_t len = *(mdpr->type_specific_data + 56);
+ if (mdpr->type_specific_len >= 62 + len)
+ fourcc_ptr = mdpr->type_specific_data + 58 + len;
+ }
}
break;
case 5:
- fourcc_ptr = mdpr->type_specific_data + 66;
+ if (mdpr->type_specific_len >= 70)
+ fourcc_ptr = mdpr->type_specific_data + 66;
break;
default:
lprintf("unsupported audio header version %d\n", version);
goto unknown;
}
-
lprintf("fourcc = %.4s\n", fourcc_ptr);
const uint32_t fourcc = _X_ME_32(fourcc_ptr);
