changeset: 9637:01753933e664 user: Matthias Hopf <mhopf@suse.de> date: Sun Jan 04 17:21:46 2009 +0000 summary: Fix for CVE-2008-5240 diff -r 7fb21abb15e5 -r 01753933e664 src/demuxers/demux_real.c --- a/src/demuxers/demux_real.c Sun Jan 04 17:21:46 2009 +0000 +++ b/src/demuxers/demux_real.c Sun Jan 04 17:21:46 2009 +0000 @@ -435,9 +435,14 @@ case MDPR_TAG: case CONT_TAG: { + if (chunk_size < PREAMBLE_SIZE+1) { + this->status = DEMUX_FINISHED; + return; + } chunk_size -= PREAMBLE_SIZE; uint8_t *const chunk_buffer = malloc(chunk_size); - if (this->input->read(this->input, chunk_buffer, chunk_size) != + if (! chunk_buffer || + this->input->read(this->input, chunk_buffer, chunk_size) != chunk_size) { free (chunk_buffer); this->status = DEMUX_FINISHED;