# HG changeset patch # User Darren Salt # Date 1234285332 0 # Node ID f4235fa3726292e01a6118c18489a78dee3d72da # Parent aca4997f139d6120f736d9545237cc1144df274a [mq]: broken-input-checks diff --git a/ChangeLog b/ChangeLog --- a/ChangeLog +++ b/ChangeLog @@ -5,7 +5,7 @@ xine-lib (1.1.17) 2009-??-?? removing a break statement. * Enable libmpeg2new. This is not yet production code; the old mpeg2 decoder remains the default. - * Fix a broken size check in the pvr input plugin (ref. CVE-2008-5239). + * Fix broken size checks in various input plugins (ref. CVE-2008-5239). * More malloc checking (ref. CVE-2008-5240). * Fix race conditions in gapless_switch (ref. kde bug #180339) diff --git a/src/input/input_dvb.c b/src/input/input_dvb.c --- a/src/input/input_dvb.c +++ b/src/input/input_dvb.c @@ -2602,7 +2602,9 @@ static buf_element_t *dvb_plugin_read_bl buf_element_t *buf = fifo->buffer_pool_alloc (fifo); int total_bytes; - if (todo < 0 || todo > buf->size) { + if (todo > buf->max_size) + todo = buf->max_size; + if (todo < 0) { buf->free_buffer (buf); return NULL; } diff --git a/src/input/input_file.c b/src/input/input_file.c --- a/src/input/input_file.c +++ b/src/input/input_file.c @@ -169,7 +169,9 @@ static buf_element_t *file_plugin_read_b file_input_plugin_t *this = (file_input_plugin_t *) this_gen; buf_element_t *buf = fifo->buffer_pool_alloc (fifo); - if (todo < 0 || todo > buf->size) { + if (todo > buf->max_size) + todo = buf->max_size; + if (todo < 0) { buf->free_buffer (buf); return NULL; } diff --git a/src/input/input_gnome_vfs.c b/src/input/input_gnome_vfs.c --- a/src/input/input_gnome_vfs.c +++ b/src/input/input_gnome_vfs.c @@ -121,7 +121,9 @@ gnomevfs_plugin_read_block (input_plugin off_t total_bytes; buf_element_t *buf = fifo->buffer_pool_alloc (fifo); - if (todo < 0 || todo > buf->size) { + if (todo > buf->max_size) + todo = buf->max_size; + if (todo < 0) { buf->free_buffer (buf); return NULL; } diff --git a/src/input/input_http.c b/src/input/input_http.c --- a/src/input/input_http.c +++ b/src/input/input_http.c @@ -506,7 +506,9 @@ static buf_element_t *http_plugin_read_b off_t total_bytes; buf_element_t *buf = fifo->buffer_pool_alloc (fifo); - if (todo < 0 || todo > buf->size) { + if (todo > buf->max_size) + todo = buf->max_size; + if (todo < 0) { buf->free_buffer (buf); return NULL; } diff --git a/src/input/input_mms.c b/src/input/input_mms.c --- a/src/input/input_mms.c +++ b/src/input/input_mms.c @@ -122,7 +122,9 @@ static buf_element_t *mms_plugin_read_bl lprintf ("mms_plugin_read_block: %"PRId64" bytes...\n", todo); - if (todo < 0 || todo > buf->size) { + if (todo > buf->max_size) + todo = buf->max_size; + if (todo < 0) { buf->free_buffer (buf); return NULL; } diff --git a/src/input/input_net.c b/src/input/input_net.c --- a/src/input/input_net.c +++ b/src/input/input_net.c @@ -291,7 +291,9 @@ static buf_element_t *net_plugin_read_bl buf_element_t *buf = fifo->buffer_pool_alloc (fifo); off_t total_bytes; - if (todo < 0 || todo > buf->size) { + if (todo > buf->max_size) + todo = buf->max_size; + if (todo < 0) { buf->free_buffer (buf); return NULL; } diff --git a/src/input/input_pnm.c b/src/input/input_pnm.c --- a/src/input/input_pnm.c +++ b/src/input/input_pnm.c @@ -97,7 +97,9 @@ static buf_element_t *pnm_plugin_read_bl lprintf ("pnm_plugin_read_block: %"PRId64" bytes...\n", todo); - if (todo < 0 || todo > buf->size) { + if (todo > buf->max_size) + todo = buf->max_size; + if (todo < 0) { buf->free_buffer (buf); return NULL; } diff --git a/src/input/input_pvr.c b/src/input/input_pvr.c --- a/src/input/input_pvr.c +++ b/src/input/input_pvr.c @@ -1208,7 +1208,9 @@ static buf_element_t *pvr_plugin_read_bl } buf = fifo->buffer_pool_alloc (fifo); - if (todo < 0 || todo > buf->size) { + if (todo > buf->max_size) + todo = buf->max_size; + if (todo < 0) { buf->free_buffer(buf); return NULL; } diff --git a/src/input/input_rtp.c b/src/input/input_rtp.c --- a/src/input/input_rtp.c +++ b/src/input/input_rtp.c @@ -527,7 +527,9 @@ static buf_element_t *rtp_plugin_read_bl buf_element_t *buf = fifo->buffer_pool_alloc (fifo); int total_bytes; - if (todo < 0 || todo > buf->size) { + if (todo > buf->max_size) + todo = buf->max_size; + if (todo < 0) { buf->free_buffer (buf); return NULL; } diff --git a/src/input/input_rtsp.c b/src/input/input_rtsp.c --- a/src/input/input_rtsp.c +++ b/src/input/input_rtsp.c @@ -98,7 +98,9 @@ static buf_element_t *rtsp_plugin_read_b lprintf ("rtsp_plugin_read_block: %"PRId64" bytes...\n", todo); - if (todo < 0 || todo > buf->size) { + if (todo > buf->max_size) + todo = buf->max_size; + if (todo < 0) { buf->free_buffer (buf); return NULL; } diff --git a/src/input/input_smb.c b/src/input/input_smb.c --- a/src/input/input_smb.c +++ b/src/input/input_smb.c @@ -91,7 +91,9 @@ smb_plugin_read_block (input_plugin_t *t off_t total_bytes; buf_element_t *buf = fifo->buffer_pool_alloc (fifo); - if (todo < 0 || todo > buf->size) { + if (todo > buf->max_size) + todo = buf->max_size; + if (todo < 0) { buf->free_buffer (buf); return NULL; } diff --git a/src/input/input_stdin_fifo.c b/src/input/input_stdin_fifo.c --- a/src/input/input_stdin_fifo.c +++ b/src/input/input_stdin_fifo.c @@ -123,7 +123,9 @@ static buf_element_t *stdin_plugin_read_ /* stdin_input_plugin_t *this = (stdin_input_plugin_t *) this_gen; */ buf_element_t *buf = fifo->buffer_pool_alloc (fifo); - if (todo < 0 || todo > buf->size) { + if (todo > buf->max_size) + todo = buf->max_size; + if (todo < 0) { buf->free_buffer (buf); return NULL; }