From: Darren S. <li...@yo...> - 2009-01-16 18:16:37
|
# HG changeset patch # User Darren Salt <li...@yo...> # Date 1232129777 0 # Node ID 5df277a7eec373d9c9dffbf586f6a6a8e69b7d4c # Parent c1d5466bb972b83932189ca180705a537ffe84bc Fix a broken size check in the pvr input plugin (ref. CVE-2008-5239). diff -r 5df277a7eec373d9c9dffbf586f6a6a8e69b7d4c -r c1d5466bb972b83932189ca180705a537ffe84bc ChangeLog --- a/ChangeLog Fri Jan 16 18:16:17 2009 +0000 +++ b/ChangeLog Fri Jan 16 16:52:16 2009 +0000 @@ -2,6 +2,7 @@ xine-lib (1.1.17) 2009-??-?? * Build fixes related to ImageMagick 6.4 & later. * Enable libmpeg2new. This is not yet production code; the old mpeg2 decoder remains the default. + * Fix a broken size check in the pvr input plugin (ref. CVE-2008-5239). xine-lib (1.1.16.1) 2009-01-11 * Fix build with older ffmpeg, both internal and in Debian 5.0. diff -r 5df277a7eec373d9c9dffbf586f6a6a8e69b7d4c -r c1d5466bb972b83932189ca180705a537ffe84bc src/input/input_pvr.c --- a/src/input/input_pvr.c Fri Jan 16 18:16:17 2009 +0000 +++ b/src/input/input_pvr.c Fri Jan 16 16:52:16 2009 +0000 @@ -1202,12 +1202,15 @@ static buf_element_t *pvr_plugin_read_bl buf_element_t *buf; int speed = _x_get_speed(this->stream); - if (todo < 0 || todo > buf->size) - return NULL; - if( !this->pvr_running ) { xprintf(this->stream->xine, XINE_VERBOSITY_DEBUG, "input_pvr: thread died, aborting\n"); return NULL; + } + + buf = fifo->buffer_pool_alloc (fifo); + if (todo < 0 || todo > buf->size) { + buf->free_buffer(buf); + return NULL; } if( this->scr_tunning == -2 ) @@ -1233,7 +1236,6 @@ static buf_element_t *pvr_plugin_read_bl pvr_event_handler(this); - buf = fifo->buffer_pool_alloc (fifo); buf->content = buf->mem; pthread_mutex_lock(&this->lock); |