changeset: 9704:5df277a7eec3 user: Darren Salt <linux@youmustbejoking.demon.co.uk> date: Fri Jan 16 18:16:17 2009 +0000 summary: Fix a broken size check in the pvr input plugin (ref. CVE-2008-5239). diff -p -up src/input/input_pvr.c.orig0 src/input/input_pvr.c --- src/input/input_pvr.c.orig0 2009-01-20 10:33:37.000000000 -0500 +++ src/input/input_pvr.c 2009-01-20 10:34:55.000000000 -0500 @@ -1202,14 +1202,17 @@ static buf_element_t *pvr_plugin_read_bl buf_element_t *buf; int speed = _x_get_speed(this->stream); - if (todo < 0 || todo > buf->size) - return NULL; - if( !this->pvr_running ) { xprintf(this->stream->xine, XINE_VERBOSITY_DEBUG, "input_pvr: thread died, aborting\n"); return NULL; } + buf = fifo->buffer_pool_alloc (fifo); + if (todo < 0 || todo > buf->size) { + buf->free_buffer(buf); + return NULL; + } + if( this->scr_tunning == -2 ) speed = this->speed_before_pause; @@ -1233,7 +1236,6 @@ static buf_element_t *pvr_plugin_read_bl pvr_event_handler(this); - buf = fifo->buffer_pool_alloc (fifo); buf->content = buf->mem; pthread_mutex_lock(&this->lock);