Mercurial > mplayer.hg

changeset 14164:5901a6392db3

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Security fixes ported from upstream (xine)
author rtognimp
date Wed, 15 Dec 2004 21:27:14 +0000
parents dd835e8f3698
children 0846071c22cb
files libmpdemux/pnm.c
diffstat 1 files changed, 26 insertions(+), 2 deletions(-) [+]
line wrap: on
line diff
--- a/libmpdemux/pnm.c	Wed Dec 15 19:12:46 2004 +0000
+++ b/libmpdemux/pnm.c	Wed Dec 15 21:27:14 2004 +0000
@@ -307,9 +307,12 @@
                          char *data, int *need_response) {
 
   unsigned int chunk_size;
-  int n;
+  unsigned int n;
   char *ptr;
  
+  if (max < PREAMBLE_SIZE)
+    return -1;
+
   /* get first PREAMBLE_SIZE bytes and ignore checksum */
   rm_read (p->s, data, CHECKSUM_SIZE);
   if (data[0] == 0x72)
@@ -317,6 +320,8 @@
   else
     rm_read (p->s, data+CHECKSUM_SIZE, PREAMBLE_SIZE-CHECKSUM_SIZE);
   
+  max -= PREAMBLE_SIZE;
+
   *chunk_type = BE_32(data);
   chunk_size = BE_32(data+4);
 
@@ -324,18 +329,30 @@
     case PNA_TAG:
       *need_response=0;
       ptr=data+PREAMBLE_SIZE;
+      if (max < 1)
+	return -1;
       rm_read (p->s, ptr++, 1);
+      max -= 1;
 
       while(1) {
 	/* expecting following chunk format: 0x4f <chunk size> <data...> */
 
+        if (max < 2)
+          return -1;
         rm_read (p->s, ptr, 2);
+        max -= 2;
 	if (*ptr == 'X') /* checking for server message */
 	{
 	  printf("input_pnm: got a message from server:\n");
+	  if (max < 1)
+	    return -1;
 	  rm_read (p->s, ptr+2, 1);
+	  max = -1;
 	  n=BE_16(ptr+1);
+	  if (max < n)
+	    return -1;
 	  rm_read (p->s, ptr+3, n);
+	  max -= n;
 	  ptr[3+n]=0;
 	  printf("%s\n",ptr+3);
 	  return -1;
@@ -354,10 +371,15 @@
 	}
 	if (*ptr != 0x4f) break;
 	n=ptr[1];
+	if (max < n)
+	  return -1;
 	rm_read (p->s, ptr+2, n);
+	max -= n;
 	ptr+=(n+2);
       }
       /* the checksum of the next chunk is ignored here */
+      if (max < 1)
+        return -1;
       rm_read (p->s, ptr+2, 1);
       ptr+=3;
       chunk_size=ptr-data;
@@ -367,10 +389,12 @@
     case PROP_TAG:
     case MDPR_TAG:
     case CONT_TAG:
-      if (chunk_size > max) {
+      if (chunk_size > max || chunk_size < PREAMBLE_SIZE) {
         printf("error: max chunk size exeeded (max was 0x%04x)\n", max);
+#ifdef LOG
         n=rm_read (p->s, &data[PREAMBLE_SIZE], 0x100 - PREAMBLE_SIZE);
         hexdump(data,n+PREAMBLE_SIZE);
+#endif
         return -1;
       }
       rm_read (p->s, &data[PREAMBLE_SIZE], chunk_size-PREAMBLE_SIZE);