'[xine-cvs] HG: xine-lib-1.2: Check for possible buffer overflow'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       xine-cvslog
Subject:    [xine-cvs] HG: xine-lib-1.2: Check for possible buffer overflow
From:       Darren Salt <linux () youmustbejoking ! demon ! co ! uk>
Date:       2008-08-14 20:53:52
Message-ID: 1f961a5d8a7f3cc98510.1218645185 () hg ! debian ! org
[Download RAW message or body]

# HG changeset patch
# User Darren Salt <linux@youmustbejoking.demon.co.uk>
# Date 1218645185 -3600
# Node ID 1f961a5d8a7f3cc985109b1cb5faba59bd4d22cc
# Parent  35f09930323e46c92e521846b9ccdfd5e277ad16
Check for possible buffer overflow attempts in the Real demuxer.

diff -r 1f961a5d8a7f3cc985109b1cb5faba59bd4d22cc -r \
                35f09930323e46c92e521846b9ccdfd5e277ad16 src/demuxers/demux_real.c
--- a/src/demuxers/demux_real.c	Wed Aug 13 17:33:05 2008 +0100
+++ b/src/demuxers/demux_real.c	Wed Aug 13 17:33:04 2008 +0100
@@ -1376,6 +1376,7 @@ static int demux_real_send_chunk(demux_p
       int spc = this->audio_stream->sub_packet_cnt;
       int x;
       off_t pos;
+      const size_t fs = this->audio_stream->frame_size;
 
       if (!buffer) {
         this->status = DEMUX_FINISHED;
@@ -1386,7 +1387,7 @@ static int demux_real_send_chunk(demux_p
       case BUF_AUDIO_28_8:
 	for (x = 0; x < sph / 2; x++) {
 	  pos = x * 2 * w + spc * cfs;
-	  if(this->input->read(this->input, buffer + pos, cfs) < cfs) {
+	  if(pos + cfs > fs || this->input->read(this->input, buffer + pos, cfs) < cfs) {
 	    xprintf(this->stream->xine, XINE_VERBOSITY_DEBUG, 
 		    "demux_real: failed to read audio chunk\n");
 	    
@@ -1399,7 +1400,7 @@ static int demux_real_send_chunk(demux_p
       case BUF_AUDIO_ATRK:
 	for (x = 0; x < w / sps; x++) {
 	  pos = sps * (sph * x + ((sph + 1) / 2) * (spc & 1) + (spc >> 1));
-	  if(this->input->read(this->input, buffer + pos, sps) < sps) {
+	  if(pos + sps > fs || this->input->read(this->input, buffer + pos, sps) < sps) {
 	    xprintf(this->stream->xine, XINE_VERBOSITY_DEBUG, 
 		    "demux_real: failed to read audio chunk\n");
 	    
@@ -1410,7 +1411,7 @@ static int demux_real_send_chunk(demux_p
 	break;
       case BUF_AUDIO_SIPRO:
 	pos = spc * w;
-	if(this->input->read(this->input, buffer + pos, w) < w) {
+	if(pos + w > fs || this->input->read(this->input, buffer + pos, w) < w) {
 	  xprintf(this->stream->xine, XINE_VERBOSITY_DEBUG, 
 		  "demux_real: failed to read audio chunk\n");
 	    

-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
Xine-cvslog mailing list
Xine-cvslog@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/xine-cvslog


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic