RepoMirrors/mpv
1
0
Fork 0
mirror of https://github.com/mpv-player/mpv synced 2025-01-11 17:39:38 +00:00
Code Issues Releases Wiki Activity

Security fixes ported from upstream (xine)

Browse Source 
git-svn-id: svn://svn.mplayerhq.hu/mplayer/trunk@14165 b3059339-0415-0410-9bf9-f77b7e298cf2
This commit is contained in:
rtognimp 2004-12-15 21:27:14 +00:00
parent 343d83d5a6
commit 74abb5e853
1 changed files with 26 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
libmpdemux/pnm.c
View File

@ -307,9 +307,12 @@ static unsigned int pnm_get_chunk(pnm_t *p,
char *data, int *need_response) { char *data, int *need_response) {
unsigned int chunk_size; unsigned int chunk_size;
int n; unsigned int n;
char *ptr; char *ptr;
if (max < PREAMBLE_SIZE)
return -1;
/* get first PREAMBLE_SIZE bytes and ignore checksum */ /* get first PREAMBLE_SIZE bytes and ignore checksum */
rm_read (p->s, data, CHECKSUM_SIZE); rm_read (p->s, data, CHECKSUM_SIZE);
if (data[0] == 0x72) if (data[0] == 0x72)
@ -317,6 +320,8 @@ static unsigned int pnm_get_chunk(pnm_t *p,
else else
rm_read (p->s, data+CHECKSUM_SIZE, PREAMBLE_SIZE-CHECKSUM_SIZE); rm_read (p->s, data+CHECKSUM_SIZE, PREAMBLE_SIZE-CHECKSUM_SIZE);
max -= PREAMBLE_SIZE;
*chunk_type = BE_32(data); *chunk_type = BE_32(data);
chunk_size = BE_32(data+4); chunk_size = BE_32(data+4);
@ -324,18 +329,30 @@ static unsigned int pnm_get_chunk(pnm_t *p,
case PNA_TAG: case PNA_TAG:
*need_response=0; *need_response=0;
ptr=data+PREAMBLE_SIZE; ptr=data+PREAMBLE_SIZE;
if (max < 1)
return -1;
rm_read (p->s, ptr++, 1); rm_read (p->s, ptr++, 1);
max -= 1;
while(1) { while(1) {
/* expecting following chunk format: 0x4f <chunk size> <data...> */ /* expecting following chunk format: 0x4f <chunk size> <data...> */
if (max < 2)
return -1;
rm_read (p->s, ptr, 2); rm_read (p->s, ptr, 2);
max -= 2;
if (*ptr == 'X') /* checking for server message */ if (*ptr == 'X') /* checking for server message */
{ {
printf("input_pnm: got a message from server:\n"); printf("input_pnm: got a message from server:\n");
if (max < 1)
return -1;
rm_read (p->s, ptr+2, 1); rm_read (p->s, ptr+2, 1);
max = -1;
n=BE_16(ptr+1); n=BE_16(ptr+1);
if (max < n)
return -1;
rm_read (p->s, ptr+3, n); rm_read (p->s, ptr+3, n);
max -= n;
ptr[3+n]=0; ptr[3+n]=0;
printf("%s\n",ptr+3); printf("%s\n",ptr+3);
return -1; return -1;
@ -354,10 +371,15 @@ static unsigned int pnm_get_chunk(pnm_t *p,
} }
if (*ptr != 0x4f) break; if (*ptr != 0x4f) break;
n=ptr[1]; n=ptr[1];
if (max < n)
return -1;
rm_read (p->s, ptr+2, n); rm_read (p->s, ptr+2, n);
max -= n;
ptr+=(n+2); ptr+=(n+2);
} }
/* the checksum of the next chunk is ignored here */ /* the checksum of the next chunk is ignored here */
if (max < 1)
return -1;
rm_read (p->s, ptr+2, 1); rm_read (p->s, ptr+2, 1);
ptr+=3; ptr+=3;
chunk_size=ptr-data; chunk_size=ptr-data;
@ -367,10 +389,12 @@ static unsigned int pnm_get_chunk(pnm_t *p,
case PROP_TAG: case PROP_TAG:
case MDPR_TAG: case MDPR_TAG:
case CONT_TAG: case CONT_TAG:
if (chunk_size > max) { if (chunk_size > max || chunk_size < PREAMBLE_SIZE) {
printf("error: max chunk size exeeded (max was 0x%04x)\n", max); printf("error: max chunk size exeeded (max was 0x%04x)\n", max);
#ifdef LOG
n=rm_read (p->s, &data[PREAMBLE_SIZE], 0x100 - PREAMBLE_SIZE); n=rm_read (p->s, &data[PREAMBLE_SIZE], 0x100 - PREAMBLE_SIZE);
hexdump(data,n+PREAMBLE_SIZE); hexdump(data,n+PREAMBLE_SIZE);
#endif
return -1; return -1;
} }
rm_read (p->s, &data[PREAMBLE_SIZE], chunk_size-PREAMBLE_SIZE); rm_read (p->s, &data[PREAMBLE_SIZE], chunk_size-PREAMBLE_SIZE);