Sanity-check ASF header sizes.
authorDarren Salt <linux@youmustbejoking.demon.co.uk>
Wed, 23 Jan 2008 19:40:16 +0000
changeset 9140fb6d089b520d
parent 9139 461fae9b8fca
child 9141 1a0447486a13
Sanity-check ASF header sizes.
This fixes a crash in the ASF demuxer, caused by the example exploit file given
for CVE-2006-1664.
ChangeLog
src/demuxers/demux_asf.c
     1.1 --- a/ChangeLog	Wed Jan 23 18:29:51 2008 +0000
     1.2 +++ b/ChangeLog	Wed Jan 23 19:40:16 2008 +0000
     1.3 @@ -8,6 +8,8 @@
     1.4      end authors should be careful with xine-lib older than 1.1.10.
     1.5    * Backported xine-config & libxine.pc from 1.2.
     1.6      Consequently, xine-config now requires pkg-config.
     1.7 +  * Sanity-check ASF header sizes. This fixes a crash in the ASF demuxer,
     1.8 +    caused by the example exploit given for CVE-2006-1664.
     1.9  
    1.10  xine-lib (1.1.9.1) 2008-01-11
    1.11    * Security fixes:
     2.1 --- a/src/demuxers/demux_asf.c	Wed Jan 23 18:29:51 2008 +0000
     2.2 +++ b/src/demuxers/demux_asf.c	Wed Jan 23 19:40:16 2008 +0000
     2.3 @@ -379,10 +379,21 @@
     2.4    char *asf_header_buffer = NULL;
     2.5  
     2.6    asf_header_len = get_le64(this);
     2.7 -  asf_header_buffer = alloca(asf_header_len);
     2.8 +  if (asf_header_len > 4 * 1024 * 1024)
     2.9 +  {
    2.10 +    xprintf(this->stream->xine, XINE_VERBOSITY_DEBUG, 
    2.11 +	    "demux_asf: asf_read_header: overly-large header? (%"PRIu64" bytes)\n",
    2.12 +	    asf_header_len);
    2.13 +    return 0;
    2.14 +  }
    2.15 +
    2.16 +  asf_header_buffer = malloc (asf_header_len);
    2.17  
    2.18    if (this->input->read (this->input, asf_header_buffer, asf_header_len) != asf_header_len)
    2.19 +  {
    2.20 +    free (asf_header_buffer);
    2.21      return 0;
    2.22 +  }
    2.23  
    2.24    /* delete previous header */
    2.25    if (this->asf_header) {
    2.26 @@ -395,7 +406,11 @@
    2.27     */
    2.28    this->asf_header = asf_header_new(asf_header_buffer, asf_header_len);
    2.29    if (!this->asf_header)
    2.30 +  {
    2.31 +    free (asf_header_buffer);
    2.32      return 0;
    2.33 +  }
    2.34 +  free (asf_header_buffer);
    2.35  
    2.36    lprintf("asf header parsing ok\n");
    2.37