[xine-cvs] CVS: xine-lib/src/demuxers demux_aiff.c,1.39,1.40

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

Update of /cvsroot/xine/xine-lib/src/demuxers
In directory sc8-pr-cvs1.sourceforge.net:/tmp/cvs-serv31474/demuxers

Modified Files:
	demux_aiff.c 
Log Message:
check for the chunk size the file tells us before blindly overflowing
the buffer; this was remotely exploitable, thanks to Ariel Berkman for
catching this and D. J. Bernstein for reporting it


Index: demux_aiff.c
===================================================================
RCS file: /cvsroot/xine/xine-lib/src/demuxers/demux_aiff.c,v
retrieving revision 1.39
retrieving revision 1.40
diff -u -r1.39 -r1.40

--- demux_aiff.c	13 Jun 2004 21:28:52 -0000	1.39
+++ demux_aiff.c	15 Dec 2004 21:03:02 -0000	1.40
@@ -120,6 +120,12 @@
     }
     chunk_type = BE_32(&preamble[0]);
     chunk_size = BE_32(&preamble[4]);
+    
+    if (chunk_size > sizeof(buffer) / sizeof(buffer[0])) {
+      /* the chunk is too large to fit in the buffer -> this cannot be an aiff chunk */
+      this->status = DEMUX_FINISHED;
+      return 0;
+    }
 
     if (chunk_type == COMM_TAG) {
       if (this->input->read(this->input, buffer, chunk_size) !=



