From: Michael R. <mr...@us...> - 2004-12-15 21:03:11
|
Update of /cvsroot/xine/xine-lib/src/demuxers In directory sc8-pr-cvs1.sourceforge.net:/tmp/cvs-serv31474/demuxers Modified Files: demux_aiff.c Log Message: check for the chunk size the file tells us before blindly overflowing the buffer; this was remotely exploitable, thanks to Ariel Berkman for catching this and D. J. Bernstein for reporting it Index: demux_aiff.c =================================================================== RCS file: /cvsroot/xine/xine-lib/src/demuxers/demux_aiff.c,v retrieving revision 1.39 retrieving revision 1.40 diff -u -r1.39 -r1.40 --- demux_aiff.c 13 Jun 2004 21:28:52 -0000 1.39 +++ demux_aiff.c 15 Dec 2004 21:03:02 -0000 1.40 @@ -120,6 +120,12 @@ } chunk_type = BE_32(&preamble[0]); chunk_size = BE_32(&preamble[4]); + + if (chunk_size > sizeof(buffer) / sizeof(buffer[0])) { + /* the chunk is too large to fit in the buffer -> this cannot be an aiff chunk */ + this->status = DEMUX_FINISHED; + return 0; + } if (chunk_type == COMM_TAG) { if (this->input->read(this->input, buffer, chunk_size) != |