Sanity-check ASF header sizes.
This fixes a crash in the ASF demuxer, caused by the example exploit file given
for CVE-2006-1664.
1.1 --- a/ChangeLog Wed Jan 23 18:29:51 2008 +0000
1.2 +++ b/ChangeLog Wed Jan 23 19:40:16 2008 +0000
1.3 @@ -8,6 +8,8 @@
1.4 end authors should be careful with xine-lib older than 1.1.10.
1.5 * Backported xine-config & libxine.pc from 1.2.
1.6 Consequently, xine-config now requires pkg-config.
1.7 + * Sanity-check ASF header sizes. This fixes a crash in the ASF demuxer,
1.8 + caused by the example exploit given for CVE-2006-1664.
1.9
1.10 xine-lib (1.1.9.1) 2008-01-11
1.11 * Security fixes:
2.1 --- a/src/demuxers/demux_asf.c Wed Jan 23 18:29:51 2008 +0000
2.2 +++ b/src/demuxers/demux_asf.c Wed Jan 23 19:40:16 2008 +0000
2.3 @@ -379,10 +379,21 @@
2.4 char *asf_header_buffer = NULL;
2.5
2.6 asf_header_len = get_le64(this);
2.7 - asf_header_buffer = alloca(asf_header_len);
2.8 + if (asf_header_len > 4 * 1024 * 1024)
2.9 + {
2.10 + xprintf(this->stream->xine, XINE_VERBOSITY_DEBUG,
2.11 + "demux_asf: asf_read_header: overly-large header? (%"PRIu64" bytes)\n",
2.12 + asf_header_len);
2.13 + return 0;
2.14 + }
2.15 +
2.16 + asf_header_buffer = malloc (asf_header_len);
2.17
2.18 if (this->input->read (this->input, asf_header_buffer, asf_header_len) != asf_header_len)
2.19 + {
2.20 + free (asf_header_buffer);
2.21 return 0;
2.22 + }
2.23
2.24 /* delete previous header */
2.25 if (this->asf_header) {
2.26 @@ -395,7 +406,11 @@
2.27 */
2.28 this->asf_header = asf_header_new(asf_header_buffer, asf_header_len);
2.29 if (!this->asf_header)
2.30 + {
2.31 + free (asf_header_buffer);
2.32 return 0;
2.33 + }
2.34 + free (asf_header_buffer);
2.35
2.36 lprintf("asf header parsing ok\n");
2.37