[MPlayer-cvslog] r29184 - branches/1.0rc1/libmpdemux/demux_vqf.c

siretart subversion at mplayerhq.hu
Thu Apr 16 00:38:31 CEST 2009 

Author: siretart
Date: Thu Apr 16 00:38:30 2009
New Revision: 29184

Log:
SA33136: MPlayer TwinVQ Processing Buffer Overflow Vulnerability
Thanks to T. Klein, G. Iuculano, R. Döffinger. cf http://bugs.debian.org/508803
Fixes CVE-2008-5616.

Thanks to Steve Kemp <skx at debian.org> for preparing the patch.

Sceurity fix backported from 28149

Modified:
   branches/1.0rc1/libmpdemux/demux_vqf.c

Modified: branches/1.0rc1/libmpdemux/demux_vqf.c
==============================================================================
--- branches/1.0rc1/libmpdemux/demux_vqf.c	Wed Apr 15 22:00:26 2009	(r29183)
+++ branches/1.0rc1/libmpdemux/demux_vqf.c	Thu Apr 16 00:38:30 2009	(r29184)
@@ -49,11 +49,14 @@ static demuxer_t* demux_open_vqf(demuxer
     unsigned chunk_size;
     hi->size=chunk_size=stream_read_dword(s); /* include itself */
     stream_read(s,chunk_id,4);
+    if (chunk_size < 8) return NULL;
+    chunk_size -= 8;
     if(*((uint32_t *)&chunk_id[0])==mmioFOURCC('C','O','M','M'))
     {
-    char buf[chunk_size-8];
+    char buf[BUFSIZ];
     unsigned i,subchunk_size;
-    if(stream_read(s,buf,chunk_size-8)!=chunk_size-8) return NULL;
+    if (chunk_size > sizeof(buf) || chunk_size < 20) return NULL;
+    if(stream_read(s,buf,chunk_size)!=chunk_size) return NULL;
     i=0;
     subchunk_size=be2me_32(*((uint32_t *)&buf[0]));
     hi->channelMode=be2me_32(*((uint32_t *)&buf[4]));
@@ -82,13 +85,15 @@ static demuxer_t* demux_open_vqf(demuxer
     sh_audio->samplesize = 4;
     w->wBitsPerSample = 8*sh_audio->samplesize;
     w->cbSize = 0;
+    if (subchunk_size > chunk_size - 4) continue;
     i+=subchunk_size+4;
-    while(i<chunk_size-8)
+    while(i + 8 < chunk_size)
     {
         unsigned slen,sid;
-        char sdata[chunk_size];
+        char sdata[BUFSIZ];
         sid=*((uint32_t *)&buf[i]); i+=4;
         slen=be2me_32(*((uint32_t *)&buf[i])); i+=4;
+        if (slen > sizeof(sdata) - 1 || slen > chunk_size - i) break;
         if(sid==mmioFOURCC('D','S','I','Z'))
         {
         hi->Dsiz=be2me_32(*((uint32_t *)&buf[i]));
@@ -140,7 +145,7 @@ static demuxer_t* demux_open_vqf(demuxer
     if(*((uint32_t *)&chunk_id[0])==mmioFOURCC('D','A','T','A'))
     {
     demuxer->movi_start=stream_tell(s);
-    demuxer->movi_end=demuxer->movi_start+chunk_size-8;
+    demuxer->movi_end=demuxer->movi_start+chunk_size;
     mp_msg(MSGT_DEMUX, MSGL_V, "Found data at %"PRIX64" size %"PRIu64"\n",demuxer->movi_start,demuxer->movi_end);
     /* Done! play it */
     break;
@@ -148,7 +153,7 @@ static demuxer_t* demux_open_vqf(demuxer
     else
     {
     mp_msg(MSGT_DEMUX, MSGL_V, "Unhandled chunk '%c%c%c%c' %u bytes\n",((char *)&chunk_id)[0],((char *)&chunk_id)[1],((char *)&chunk_id)[2],((char *)&chunk_id)[3],chunk_size);
-    stream_skip(s,chunk_size-8); /*unknown chunk type */
+    stream_skip(s,chunk_size); /*unknown chunk type */
     }
   }

More information about the MPlayer-cvslog mailing list