changeset:   9704:5df277a7eec3
user:        Darren Salt <linux@youmustbejoking.demon.co.uk>
date:        Fri Jan 16 18:16:17 2009 +0000
summary:     Fix a broken size check in the pvr input plugin (ref. CVE-2008-5239).
diff -p -up src/input/input_pvr.c.orig0 src/input/input_pvr.c
--- src/input/input_pvr.c.orig0	2009-01-20 10:33:37.000000000 -0500
+++ src/input/input_pvr.c	2009-01-20 10:34:55.000000000 -0500
@@ -1202,14 +1202,17 @@ static buf_element_t *pvr_plugin_read_bl
   buf_element_t        *buf;
   int                   speed = _x_get_speed(this->stream);
 
-  if (todo < 0 || todo > buf->size)
-    return NULL;
-
   if( !this->pvr_running ) {
     xprintf(this->stream->xine, XINE_VERBOSITY_DEBUG, "input_pvr: thread died, aborting\n");
     return NULL;  
   }
 
+  buf = fifo->buffer_pool_alloc (fifo);                                                     
+  if (todo < 0 || todo > buf->size) {                                                       
+    buf->free_buffer(buf);                                                                  
+    return NULL;                                                                            
+  }  
+
   if( this->scr_tunning == -2 )
     speed = this->speed_before_pause;
 
@@ -1233,7 +1236,6 @@ static buf_element_t *pvr_plugin_read_bl
 
   pvr_event_handler(this);
   
-  buf = fifo->buffer_pool_alloc (fifo);
   buf->content = buf->mem;
     
   pthread_mutex_lock(&this->lock);