Add boundary check on speex mode, see bug #83. 1.1.12 xine-lib-1_1_12-release
authorDiego 'Flameeyes' Pettenò <flameeyes@gmail.com>
Mon, 14 Apr 2008 22:38:03 +0200
changeset 929466e1654718fb
parent 9293 3eee61c46576
child 9295 1aad6519fe8e
Add boundary check on speex mode, see bug #83.
ChangeLog
src/libxineadec/xine_speex_decoder.c
     1.1 --- a/ChangeLog	Mon Apr 14 21:28:26 2008 +0100
     1.2 +++ b/ChangeLog	Mon Apr 14 22:38:03 2008 +0200
     1.3 @@ -1,4 +1,6 @@
     1.4  xine-lib (1.1.12) 2008-??-??
     1.5 +  * Security fixes:
     1.6 +    - Insufficient boundary check in speex audio decoder. (CVE-2008-1686)
     1.7    * Fixed and improved the PulseAudio driver.
     1.8    * Fixed a regression in 1.1.11.1 which broke Quicktime container handling.
     1.9    * And another, this time in the Matroska demuxer.
     2.1 --- a/src/libxineadec/xine_speex_decoder.c	Mon Apr 14 21:28:26 2008 +0100
     2.2 +++ b/src/libxineadec/xine_speex_decoder.c	Mon Apr 14 22:38:03 2008 +0200
     2.3 @@ -204,7 +204,7 @@
     2.4        if (!this->st) {
     2.5  	SpeexMode * spx_mode;
     2.6  	SpeexHeader * spx_header;
     2.7 -	int modeID;
     2.8 +	unsigned int modeID;
     2.9  	int bitrate;
    2.10  
    2.11  	speex_bits_init (&this->bits);
    2.12 @@ -216,7 +216,12 @@
    2.13  	  return;
    2.14  	}
    2.15  
    2.16 -	modeID = spx_header->mode;
    2.17 +	modeID = (unsigned int)spx_header->mode;
    2.18 +	if (modeID >= SPEEX_NB_MODES) {
    2.19 +	  xprintf(this->stream->xine, XINE_VERBOSITY_DEBUG, LOG_MODULE ": invalid mode ID %u\n", modeID);
    2.20 +	  return;
    2.21 +	}
    2.22 +	
    2.23  	spx_mode = (SpeexMode *) speex_mode_list[modeID];
    2.24  
    2.25  	if (spx_mode->bitstream_version != spx_header->mode_bitstream_version) {