From: Thomas V. <tv...@be...> - 2009-01-07 16:39:57
|
# HG changeset patch # User Thomas Viehmann <tv...@be...> # Date 1230770715 -3600 # Node ID 9f367688cc08e9cf9e5a2a9b48869eb80c5effec # Parent 65f524e1462381f6489b376e20ad605bea83ce57 check for negative/too large return values of get_size when demuxing mod streams get_size might return -1 (e.g. for streams whose size is unknown), but demux_mod is not able to handle this. This is particularly bad because it is later assigned to unsigned types (demux_mod_t.filesize is size_t). Based on a patch by Matthias Hopf <mh...@su...>. diff -r 9f367688cc08e9cf9e5a2a9b48869eb80c5effec -r 65f524e1462381f6489b376e20ad605bea83ce57 src/demuxers/demux_mod.c --- a/src/demuxers/demux_mod.c Thu Jan 01 01:45:15 2009 +0100 +++ b/src/demuxers/demux_mod.c Wed Dec 31 22:47:32 2008 +0100 @@ -130,9 +130,16 @@ static int probe_mod_file(demux_mod_t *t /* returns 1 if the MOD file was opened successfully, 0 otherwise */ static int open_mod_file(demux_mod_t *this) { int total_read; + off_t input_length; /* Get size and create buffer */ - this->filesize = this->input->get_length(this->input); + input_length = this->input->get_length(this->input); + /* Avoid potential issues with signed variables and e.g. read() returning -1 */ + if (input_length > 0x7FFFFFFF || input_length < 0) { + xine_log(this->stream->xine, XINE_LOG_PLUGIN, "modplug - size overflow\n"); + return 0; + } + this->filesize = input_length; this->buffer = (char *)malloc(this->filesize); if(!this->buffer) { xine_log(this->stream->xine, XINE_LOG_PLUGIN, "modplug - allocation failure\n"); |