# HG changeset patch
# User Darren Salt <linux@youmustbejoking.demon.co.uk>
# Date 1234285334 0
# Node ID 0913b7db56e5e495667eacb347325b8b22539a02
# Parent  f4235fa3726292e01a6118c18489a78dee3d72da
imported patch 4xm-sec

diff --git a/ChangeLog b/ChangeLog
--- a/ChangeLog
+++ b/ChangeLog
@@ -8,6 +8,7 @@ xine-lib (1.1.17) 2009-??-??
   * Fix broken size checks in various input plugins (ref. CVE-2008-5239).
   * More malloc checking (ref. CVE-2008-5240).
   * Fix race conditions in gapless_switch (ref. kde bug #180339)
+  * Fix a possible integer overflow in the 4XM demuxer. (TKADV2009-004.txt)
 
 xine-lib (1.1.16.1) 2009-01-11
   * Fix build with older ffmpeg, both internal and in Debian 5.0.
diff --git a/src/demuxers/demux_4xm.c b/src/demuxers/demux_4xm.c
--- a/src/demuxers/demux_4xm.c
+++ b/src/demuxers/demux_4xm.c
@@ -192,6 +192,10 @@ static int open_fourxm_file(demux_fourxm
       const uint32_t current_track = _X_LE_32(&header[i + 8]);
       if (current_track + 1 > fourxm->track_count) {
         fourxm->track_count = current_track + 1;
+        if (fourxm->track_count >= UINT_MAX / sizeof(audio_track_t)) {
+          free(header);
+          return 0;
+        }
         fourxm->tracks = realloc(fourxm->tracks,
           fourxm->track_count * sizeof(audio_track_t));
         if (!fourxm->tracks) {