# HG changeset patch # User Darren Salt # Date 1218190230 -3600 # Node ID 67bfec7af3472674ba7396bd468b7607339fe102 # Parent 96eaf3a2cb5b9361d00aa02c51bd740c515a5f25 Fix crash with corrupted AVI files (chunk size). diff --git a/ChangeLog b/ChangeLog --- a/ChangeLog +++ b/ChangeLog @@ -1,7 +1,7 @@ xine-lib (1.1.15) 2008-??-?? xine-lib (1.1.15) 2008-??-?? * Security fixes: - - Fix crashes with corrupted Ogg files. (CVE-2008-3231) - - Fix crashes with fuzzed Windows Media files. + - Fix crashes with various corrupted media files, including Ogg. + (CVE-2008-3231) - Delay V4L video frame preallocation until we know how large they'll be. * Use external ffmpeg by default. * V4L: Don't segfault if asked for an input that doesn't exist. diff --git a/src/demuxers/demux_avi.c b/src/demuxers/demux_avi.c --- a/src/demuxers/demux_avi.c +++ b/src/demuxers/demux_avi.c @@ -316,6 +316,8 @@ typedef struct { #define AVI_ERR_NO_IDX 13 /* The file has been opened with getIndex==0, but an operation has been performed that needs an index */ + +#define AVI_ERR_BAD_SIZE 14 /* A chunk has an invalid size */ #define AVI_HEADER_UNKNOWN -1 #define AVI_HEADER_AUDIO 0 @@ -780,7 +782,7 @@ static avi_t *XINE_MALLOC AVI_init(demux lprintf("chunk: %c%c%c%c, size: %" PRId64 "\n", data[0], data[1], data[2], data[3], (int64_t)n); - if((strncasecmp(data,"LIST",4) == 0) && (n >= 4)) { + if (n >= 4 && strncasecmp(data,"LIST",4) == 0) { if( this->input->read(this->input, data,4) != 4 ) ERR_EXIT(AVI_ERR_READ); n -= 4; @@ -835,6 +837,8 @@ static avi_t *XINE_MALLOC AVI_init(demux /* Interpret the header list */ for (i = 0; i < hdrl_len;) { + const int old_i = i; + /* List tags are completly ignored */ lprintf("tag: %c%c%c%c\n", hdrl_data[i], hdrl_data[i+1], hdrl_data[i+2], hdrl_data[i+3]); @@ -1081,6 +1085,8 @@ static avi_t *XINE_MALLOC AVI_init(demux lasttag = 0; } i += n; + if (i <= old_i) + ERR_EXIT(AVI_ERR_BAD_SIZE); } if( hdrl_data )