Video
 » 
Display
 » 
xine - a free video player
 » 
xine-devel

[PATCH] Fix buffer overflow in demux_mpeg_block.c

View: New views
2 Messages — Rating Filter:   Alert me  

[PATCH] Fix buffer overflow in demux_mpeg_block.c

by Petri Hintukainen-3 :: Rate this Message:

Reply to Author | View Threaded | Show Only this Message

Patch attached.

I'd also remove this->scratch unless there is some weird reason to keep
it. Local buffers in demux_mpeg_detect_blocksize() [4 bytes] and
open_plugin [4096 bytes] should do the same ... ?


- Petri

[9835-demux_mpeg_block.c-buffer_overflow.diff]
# HG changeset patch
# User Petri Hintukainen <phintuka@...>
# Date 1257260200 -7200
# Node ID 61fcc6e682a4db817461e3c825589a2c41ec71dd
# Parent  898baed1012ada88a6b8522f1f3d95f04815f556
Fixed buffer overflow:
input->read(input, this->scratch, this->blocksize) overflows if input plugin block size is larger than 4096.

diff -r 898baed1012a -r 61fcc6e682a4 src/demuxers/demux_mpeg_block.c
--- a/src/demuxers/demux_mpeg_block.c Sun Oct 25 14:08:00 2009 +0000
+++ b/src/demuxers/demux_mpeg_block.c Tue Nov 03 16:56:40 2009 +0200
@@ -43,6 +43,7 @@
 
 #define NUM_PREVIEW_BUFFERS   250
 #define DISC_TRESHOLD       90000
+#define MAX_BLOCK_SIZE       4096
 
 #define WRAP_THRESHOLD     120000
 #define PTS_AUDIO 0
@@ -1385,7 +1386,7 @@
   this->demux_plugin.get_optional_data = demux_mpeg_block_get_optional_data;
   this->demux_plugin.demux_class       = class_gen;
 
-  this->scratch    = xine_xmalloc_aligned (512, 4096, &this->scratch_base);
+  this->scratch    = xine_xmalloc_aligned (512, MAX_BLOCK_SIZE, &this->scratch_base);
   this->status     = DEMUX_FINISHED;
 
   lprintf ("open_plugin:detection_method=%d\n",
@@ -1410,7 +1411,7 @@
       if (!this->blocksize)
         this->blocksize = demux_mpeg_detect_blocksize( this, input );
 
-      if (!this->blocksize) {
+      if (!this->blocksize || this->blocksize > MAX_BLOCK_SIZE) {
         free (this->scratch_base);
         free (this);
         return NULL;

------------------------------------------------------------------------------
Come build with us! The BlackBerry(R) Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and stay
ahead of the curve. Join us from November 9 - 12, 2009. Register now!
http://p.sf.net/sfu/devconference
_______________________________________________
xine-devel mailing list
xine-devel@...
https://lists.sourceforge.net/lists/listinfo/xine-devel

Re: [PATCH] Fix buffer overflow in demux_mpeg_block.c

by Petri Hintukainen-3 :: Rate this Message:

Reply to Author | View Threaded | Show Only this Message

> I'd also remove this->scratch unless there is some weird reason to keep
> it.

Attached (untested) patch.


- Petri


[9835-demux_mpeg_block.c-buffer_overflow_v2.diff]
# HG changeset patch
# User Petri Hintukainen <phintuka@...>
# Date 1257261327 -7200
# Node ID 761f7a5a77d0e129f815b7fe3f81f8072404c7a0
# Parent  898baed1012ada88a6b8522f1f3d95f04815f556
Fixed buffer overflow.
Removed scratch buffer from demux_mpeg_block_s.

diff -r 898baed1012a -r 761f7a5a77d0 src/demuxers/demux_mpeg_block.c
--- a/src/demuxers/demux_mpeg_block.c Sun Oct 25 14:08:00 2009 +0000
+++ b/src/demuxers/demux_mpeg_block.c Tue Nov 03 17:15:27 2009 +0200
@@ -69,9 +69,6 @@
 
   char                  cur_mrl[256];
 
-  uint8_t              *scratch;
-  void                 *scratch_base;
-
   int64_t               nav_last_end_pts;
   int64_t               nav_last_start_pts;
   int64_t               last_pts[2];
@@ -1176,7 +1173,6 @@
 
   demux_mpeg_block_t *this = (demux_mpeg_block_t *) this_gen;
   
-  free (this->scratch_base);
   free (this);
 }
 
@@ -1189,18 +1185,19 @@
 static int demux_mpeg_detect_blocksize(demux_mpeg_block_t *this,
        input_plugin_t *input)
 {
+  uint8_t scratch[4];
   input->seek(input, 2048, SEEK_SET);
-  if (input->read(input, this->scratch, 4) != 4)
+  if (input->read(input, scratch, 4) != 4)
     return 0;
 
-  if (this->scratch[0] || this->scratch[1]
-      || (this->scratch[2] != 0x01) || (this->scratch[3] != 0xba)) {
+  if (scratch[0] || scratch[1]
+      || (scratch[2] != 0x01) || (scratch[3] != 0xba)) {
 
     input->seek(input, 2324, SEEK_SET);
-    if (input->read(input, this->scratch, 4) != 4)
+    if (input->read(input, scratch, 4) != 4)
       return 0;
-    if (this->scratch[0] || this->scratch[1]
-        || (this->scratch[2] != 0x01) || (this->scratch[3] != 0xba))
+    if (scratch[0] || scratch[1]
+        || (scratch[2] != 0x01) || (scratch[3] != 0xba))
       return 0;
     
     return 2324;
@@ -1385,7 +1382,6 @@
   this->demux_plugin.get_optional_data = demux_mpeg_block_get_optional_data;
   this->demux_plugin.demux_class       = class_gen;
 
-  this->scratch    = xine_xmalloc_aligned (512, 4096, &this->scratch_base);
   this->status     = DEMUX_FINISHED;
 
   lprintf ("open_plugin:detection_method=%d\n",
@@ -1397,13 +1393,14 @@
 
     /* use demux_mpeg for non-block devices */
     if (!(input->get_capabilities(input) & INPUT_CAP_BLOCK)) {
-      free (this->scratch_base);
       free (this);
       return NULL;
     }
 
     if (((input->get_capabilities(input) & INPUT_CAP_SEEKABLE) != 0) ) {
 
+      uint8_t scratch[5] = {0xff, 0xff, 0xff, 0xff, 0xff}; /* result of input->read() won't matter */
+
       this->blocksize = input->get_blocksize(input);
       lprintf("open_plugin:blocksize=%d\n",this->blocksize);
 
@@ -1411,29 +1408,25 @@
         this->blocksize = demux_mpeg_detect_blocksize( this, input );
 
       if (!this->blocksize) {
-        free (this->scratch_base);
         free (this);
         return NULL;
       }
 
       input->seek(input, 0, SEEK_SET);
-      memset (this->scratch, 255, 5); /* result of input->read() won't matter */
-      if (input->read(input, this->scratch, this->blocksize)) {
+      if (input->read(input, scratch, 5)) {
  lprintf("open_plugin:read worked\n");
 
-        if (this->scratch[0] || this->scratch[1]
-            || (this->scratch[2] != 0x01) || (this->scratch[3] != 0xba)) {
+        if (scratch[0] || scratch[1]
+            || (scratch[2] != 0x01) || (scratch[3] != 0xba)) {
   lprintf("open_plugin:scratch failed\n");
 
-          free (this->scratch_base);
           free (this);
           return NULL;
         }
 
         /* if it's a file then make sure it's mpeg-2 */
         if ( !input->get_blocksize(input)
-             && ((this->scratch[4]>>4) != 4) ) {
-          free (this->scratch_base);
+             && ((scratch[4]>>4) != 4) ) {
           free (this);
           return NULL;
         }
@@ -1447,7 +1440,6 @@
         break;
       }
     }
-    free (this->scratch_base);
     free (this);
     return NULL;
   }
@@ -1468,7 +1460,6 @@
       ending = strrchr(mrl, '.');
 
       if (!ending) {
-        free (this->scratch_base);
         free (this);
         return NULL;
       }
@@ -1478,7 +1469,6 @@
         this->blocksize = 2048;
         demux_mpeg_block_accept_input(this, input);
       } else {
-        free (this->scratch_base);
         free (this);
         return NULL;
       }
@@ -1496,7 +1486,6 @@
       this->blocksize = demux_mpeg_detect_blocksize( this, input );
 
     if (!this->blocksize) {
-      free (this->scratch_base);
       free (this);
       return NULL;
     }
@@ -1506,7 +1495,6 @@
   break;
 
   default:
-    free (this->scratch_base);
     free (this);
     return NULL;
   }

------------------------------------------------------------------------------
Come build with us! The BlackBerry(R) Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and stay
ahead of the curve. Join us from November 9 - 12, 2009. Register now!
http://p.sf.net/sfu/devconference
_______________________________________________
xine-devel mailing list
xine-devel@...
https://lists.sourceforge.net/lists/listinfo/xine-devel
Free embeddable forum powered by Nabble Forum Help