-
Notifications
You must be signed in to change notification settings - Fork 106
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Pullup ticket 317 - requested by Lubomir Sedlacik
security fix for xine-lib Apply a manual patch that fixes the vulnerabilities noted in http://www.xinehq.de/index.php/security/XSA-2004-6
- Loading branch information
snj
committed
Feb 28, 2005
1 parent
fdc255c
commit 303d7ef
Showing
4 changed files
with
134 additions
and
3 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,102 @@ | ||
$NetBSD: patch-bc,v 1.2.2.2 2005/02/28 21:11:50 snj Exp $ | ||
|
||
--- src/input/pnm.c 2003/12/12 22:53:15 1.20 | ||
+++ src/input/pnm.c 2004/12/15 12:53:36 1.21 | ||
@@ -205,16 +205,21 @@ | ||
char *data, int *need_response) { | ||
|
||
unsigned int chunk_size; | ||
- int n; | ||
+ unsigned int n; | ||
char *ptr; | ||
- | ||
+ | ||
+ if( max < PREAMBLE_SIZE ) | ||
+ return -1; | ||
+ | ||
/* get first PREAMBLE_SIZE bytes and ignore checksum */ | ||
_x_io_tcp_read (p->stream, p->s, data, CHECKSUM_SIZE); | ||
if (data[0] == 0x72) | ||
_x_io_tcp_read (p->stream, p->s, data, PREAMBLE_SIZE); | ||
else | ||
_x_io_tcp_read (p->stream, p->s, data+CHECKSUM_SIZE, PREAMBLE_SIZE-CHECKSUM_SIZE); | ||
- | ||
+ | ||
+ max -= PREAMBLE_SIZE; | ||
+ | ||
*chunk_type = be2me_32(*((uint32_t *)data)); | ||
chunk_size = be2me_32(*((uint32_t *)(data+4))); | ||
|
||
@@ -222,7 +227,11 @@ | ||
case PNA_TAG: | ||
*need_response=0; | ||
ptr=data+PREAMBLE_SIZE; | ||
+ | ||
+ if( max < 1 ) | ||
+ return -1; | ||
_x_io_tcp_read (p->stream, p->s, ptr++, 1); | ||
+ max -= 1; | ||
|
||
while(1) { | ||
/* The pna chunk is devided into subchunks. | ||
@@ -235,17 +244,29 @@ | ||
* if first byte is 'F', we got an error | ||
*/ | ||
|
||
+ if( max < 2 ) | ||
+ return -1; | ||
_x_io_tcp_read (p->stream, p->s, ptr, 2); | ||
+ max -= 2; | ||
+ | ||
if (*ptr == 'X') /* checking for server message */ | ||
{ | ||
xprintf(p->stream->xine, XINE_VERBOSITY_DEBUG, "input_pnm: got a message from server:\n"); | ||
+ if( max < 1 ) | ||
+ return -1; | ||
_x_io_tcp_read (p->stream, p->s, ptr+2, 1); | ||
+ max -= 1; | ||
|
||
/* two bytes of message length*/ | ||
n=be2me_16(*(uint16_t*)(ptr+1)); | ||
|
||
/* message itself */ | ||
+ if( max < n ) | ||
+ return -1; | ||
_x_io_tcp_read (p->stream, p->s, ptr+3, n); | ||
+ max -= n; | ||
+ if( max < 1 ) | ||
+ return -1; | ||
ptr[3+n]=0; | ||
xprintf(p->stream->xine, XINE_VERBOSITY_DEBUG, "%s\n", ptr+3); | ||
return -1; | ||
@@ -265,10 +286,15 @@ | ||
} | ||
if (*ptr != 0x4f) break; | ||
n=ptr[1]; | ||
- _x_io_tcp_read (p->stream, p->s, ptr+2, n); | ||
+ if( max < n ) | ||
+ return -1; | ||
+ _x_io_tcp_read (p->stream, p->s, ptr+2, n); | ||
ptr+=(n+2); | ||
+ max-=n; | ||
} | ||
/* the checksum of the next chunk is ignored here */ | ||
+ if( max < 1 ) | ||
+ return -1; | ||
_x_io_tcp_read (p->stream, p->s, ptr+2, 1); | ||
ptr+=3; | ||
chunk_size=ptr-data; | ||
@@ -278,11 +304,11 @@ | ||
case PROP_TAG: | ||
case MDPR_TAG: | ||
case CONT_TAG: | ||
- if (chunk_size > max) { | ||
+ if (chunk_size > max || chunk_size < PREAMBLE_SIZE) { | ||
xprintf(p->stream->xine, XINE_VERBOSITY_DEBUG, "error: max chunk size exeeded (max was 0x%04x)\n", max); | ||
+#ifdef LOG | ||
/* reading some bytes for debugging */ | ||
n=_x_io_tcp_read (p->stream, p->s, &data[PREAMBLE_SIZE], 0x100 - PREAMBLE_SIZE); | ||
-#ifdef LOG | ||
xine_hexdump(data,n+PREAMBLE_SIZE); | ||
#endif | ||
return -1; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,27 @@ | ||
$NetBSD: patch-bd,v 1.1.2.2 2005/02/28 21:11:50 snj Exp $ | ||
|
||
--- src/input/libreal/real.c 2004/09/08 15:09:30 1.19 | ||
+++ src/input/libreal/real.c 2004/12/15 12:53:46 1.20 | ||
@@ -604,6 +604,8 @@ | ||
return (n <= 0) ? 0 : n+12; | ||
} | ||
|
||
+//! maximum size of the rtsp description, must be < INT_MAX | ||
+#define MAX_DESC_BUF (20 * 1024 * 1024) | ||
rmff_header_t *real_setup_and_get_header(rtsp_t *rtsp_session, uint32_t bandwidth) { | ||
|
||
char *description=NULL; | ||
@@ -652,6 +654,13 @@ | ||
else | ||
size=atoi(rtsp_search_answers(rtsp_session,"Content-length")); | ||
|
||
+ if (size > MAX_DESC_BUF) { | ||
+ printf("real: Content-length for description too big (> %uMB)!\n", | ||
+ MAX_DESC_BUF/(1024*1024) ); | ||
+ xine_buffer_free(buf); | ||
+ return NULL; | ||
+ } | ||
+ | ||
if (!rtsp_search_answers(rtsp_session,"ETag")) | ||
lprintf("real: got no ETag!\n"); | ||
else |