Package: libxine1
Version: 1.0.1-1
Severity: serious
Tags: security, patch
Two potential buffer overflows in xine-lib, both fixed in CVS HEAD. These
definitely affect 1.1.1, and look as if they affect 1.0.1 too. (These are
reported against 1.0.1-1 for that reason.)
1. Possible overflow via a specially-crafted AVI file
Local, remote via streamed content; possibly exploitable.
An AVI superindex chunk specifies both the number of entries and the size of
each entry. xine-lib uses both values when allocating memory, but then
assumes that the entry size is at least 16 bytes when writing to the
newly-allocated buffer. Too low an entry size given in the chunk and xine-lib
will (a) read past the end of the chunk and (b) write past the end of the
buffer.
This bug is related to <URL:http://www.xfocus.org/advisories/200603/11.html>.
I sent a patch (attached) to xine-devel for review on 2 April; it was
committed to CVS by Matthias Hopf on 22 May.
<URL:http://sourceforge.net/mailarchive/forum.php?thread_id=10088861&forum_id=7131>
2. Possible overflow in the HTTP header parser
Remote; possibly exploitable.
This is an unchecked write past the end of a buffer which is used for
receiving HTTP data from a remote server.
Reported by Diego Pettenò to xine-devel; committed to CVS by me yesterday.
Patch (with spelling fix) attached.
<URL:http://sourceforge.net/mailarchive/forum.php?thread_id=11076540&forum_id=7131>
--
| Darren Salt | linux or ds at | nr. Ashington, | Toon
| RISC OS, Linux | youmustbejoking,demon,co,uk | Northumberland | Army
| + Use more efficient products. Use less. BE MORE ENERGY EFFICIENT.
Your enemies are closing in.
Index: src/demuxers/demux_avi.c
===================================================================
RCS file: /cvsroot/xine/xine-lib/src/demuxers/demux_avi.c,v
retrieving revision 1.223
diff -u -r1.223 demux_avi.c
--- src/demuxers/demux_avi.c 4 Mar 2006 12:04:42 -0000 1.223
+++ src/demuxers/demux_avi.c 1 Apr 2006 23:51:12 -0000
@@ -1029,7 +1029,14 @@
lprintf("Invalid Header, bIndexSubType != 0\n");
}
- superindex->aIndex = malloc (superindex->wLongsPerEntry *
superindex->nEntriesInUse * sizeof (uint32_t));
+ if (superindex->nEntriesInUse > n / sizeof (avisuperindex_entry))
+ {
+ lprintf("broken index !, dwSize=%d, entries=%d\n", n,
superindex->nEntriesInUse);
+ i += 8 + n;
+ continue;
+ }
+
+ superindex->aIndex = malloc (superindex->nEntriesInUse * sizeof
(avisuperindex_entry));
/* position of ix## chunks */
for (j = 0; j < superindex->nEntriesInUse; ++j) {
superindex->aIndex[j].qwOffset = LE_64 (a); a += 8;
Index: xine-lib-1.1.2cvs20060328/src/input/input_http.c
===================================================================
--- xine-lib-1.1.2cvs20060328.orig/src/input/input_http.c
+++ xine-lib-1.1.2cvs20060328/src/input/input_http.c
@@ -895,6 +895,12 @@ static int http_plugin_open (input_plugi
len = 0;
} else
len ++;
+ if ( len >= buflen ) {
+ _x_message(this->stream, XINE_MSG_PERMISSION_ERROR, this->mrl, NULL);
+ xine_log (this->stream->xine, XINE_LOG_MSG,
+ _("input_http: buffer exhausted after %d bytes."), buflen);
+ return 0;
+ }
}
lprintf ("end of headers\n");
