Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
openSUSE:Evergreen:11.1
xine-lib
sec-005-cve-2008-5237.diff
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File sec-005-cve-2008-5237.diff of Package xine-lib
tree 6f52eb5e3820 parent e38bb4b22431 author Matthias Hopf <mhopf@suse.de> 1231089706 0 committer Matthias Hopf <mhopf@suse.de> 1231089706 0 revision 9637 branch default Fix for CVE-2008-5237 Multiple integer overflows in xine-lib 1.1.12, and other 1.1.15 and earlier versions, allow remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via (1) crafted width and height values that are not validated by the mymng_process_header function in demux_mng.c before use in an allocation calculation or (2) crafted current_atom_size and string_size values processed by the parse_reference_atom function in demux_qt.c. diff --git a/src/demuxers/demux_mng.c b/src/demuxers/demux_mng.c --- a/src/demuxers/demux_mng.c +++ b/src/demuxers/demux_mng.c @@ -111,6 +111,9 @@ static mng_bool mymng_process_header(mng_handle mngh, mng_uint32 width, mng_uint32 height){ demux_mng_t *this = (demux_mng_t*)mng_get_userdata(mngh); + + if (width > 0x8000 || height > 0x8000) + return MNG_FALSE; this->bih.biWidth = (width + 7) & ~7; this->bih.biHeight = height; diff --git a/src/demuxers/demux_qt.c b/src/demuxers/demux_qt.c --- a/src/demuxers/demux_qt.c +++ b/src/demuxers/demux_qt.c @@ -1597,13 +1597,16 @@ qt_atom current_atom; unsigned int current_atom_size; + if (ref_atom_size >= 0x80000000) + return QT_NOT_A_VALID_FILE; + /* initialize reference atom */ ref->url = NULL; ref->data_rate = 0; ref->qtim_version = 0; /* traverse through the atom looking for the key atoms */ - for (i = ATOM_PREAMBLE_SIZE; i < ref_atom_size - 4; i++) { + for (i = ATOM_PREAMBLE_SIZE; i + 4 < ref_atom_size; i++) { current_atom_size = _X_BE_32(&ref_atom[i - 4]); current_atom = _X_BE_32(&ref_atom[i]); @@ -1612,7 +1615,7 @@ size_t string_size = _X_BE_32(&ref_atom[i + 12]); size_t url_offset = 0; - if (string_size >= current_atom_size || i + string_size >= ref_atom_size) + if (string_size >= current_atom_size || string_size >= ref_atom_size - i) return QT_NOT_A_VALID_FILE; /* if the URL starts with "http://", copy it */ @@ -1620,6 +1623,8 @@ memcmp(&ref_atom[i + 16], "rtsp://", 7) && base_mrl ) url_offset = strlen(base_mrl); + if (url_offset >= 0x80000000) + return QT_NOT_A_VALID_FILE; /* otherwise, append relative URL to base MRL */ string_size += url_offset;
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor