[xine-cvs] CVS: xine-lib/src/demuxers demux_asf.c,1.187,1.188

Wed, 29 Nov 2006 13:27:13 -0800 

Update of /cvsroot/xine/xine-lib/src/demuxers
In directory sc8-pr-cvs10.sourceforge.net:/tmp/cvs-serv20736

Modified Files:
        demux_asf.c 
Log Message:
Fix a serious overflow for the asf_header, use an alloca() buffer while reading 
rather than using a fixed-size buffer.
This fixes the crash reported by İsmail Dönmez in WMA files, and prevents 
possible exploits.
Also thanks to Tavis Ormandy for the help handling the problem.


Index: demux_asf.c
===================================================================
RCS file: /cvsroot/xine/xine-lib/src/demuxers/demux_asf.c,v
retrieving revision 1.187
retrieving revision 1.188
diff -u -r1.187 -r1.188
--- demux_asf.c 26 Nov 2006 17:03:12 -0000      1.187
+++ demux_asf.c 29 Nov 2006 21:26:52 -0000      1.188
@@ -70,8 +70,6 @@
 #define ASF_MODE_ASF_REF           3
 #define ASF_MODE_ENCRYPTED_CONTENT 4
 
-#define ASF_HEADER_SIZE          8192  /* max header size */
-
 typedef struct {
   int                 seq;
 
@@ -154,8 +152,6 @@
   /* for fewer error messages */
   GUID               last_unknown_guid;
 
-  uint8_t            asf_header_buffer[ASF_HEADER_SIZE];
-  uint32_t           asf_header_len;
   asf_header_t      *asf_header;
 
 } demux_asf_t ;
@@ -378,10 +374,13 @@
 
 static int asf_read_header (demux_asf_t *this) {
   int i;
+  uint64_t asf_header_len;
+  char *asf_header_buffer = NULL;
 
-  this->asf_header_len = get_le64(this);
+  asf_header_len = get_le64(this);
+  asf_header_buffer = alloca(asf_header_len);
 
-  if (this->input->read (this->input, this->asf_header_buffer, 
this->asf_header_len) != this->asf_header_len)
+  if (this->input->read (this->input, asf_header_buffer, asf_header_len) != 
asf_header_len)
     return 0;
 
   /* delete previous header */
@@ -393,7 +392,7 @@
    *   byte  0-15: header guid
    *   byte 16-23: header length
    */
-  this->asf_header = asf_header_new(this->asf_header_buffer, 
this->asf_header_len);
+  this->asf_header = asf_header_new(asf_header_buffer, asf_header_len);
   if (!this->asf_header)
     return 0;
 



-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Xine-cvslog mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/xine-cvslog

Reply via email to