xine-lib/xine-lib-1.1.8-CVE-2008-0486.patch

diff -r 6cce4115cd7d -r 71d64201b47e src/demuxers/demux_flac.c
--- a/src/demuxers/demux_flac.c	Thu Feb 07 17:49:40 2008 +0000
+++ b/src/demuxers/demux_flac.c	Thu Feb 07 17:51:59 2008 +0000
@@ -189,7 +189,7 @@ static int open_flac_file(demux_flac_t *
     case 4:
       lprintf ("VORBIS_COMMENT metadata\n");
       {
-        char comments[block_length];
+        char comments[block_length + 1]; /* last byte for NUL termination */
         char *ptr = comments;
         uint32_t length, user_comment_list_length;
         int cn;
@@ -202,18 +202,25 @@ static int open_flac_file(demux_flac_t *
 
           length = _X_LE_32(ptr);
           ptr += 4 + length;
+          if (length >= block_length - 8)
+            return 0; /* bad length or too little left in the buffer */
 
           user_comment_list_length = _X_LE_32(ptr);
           ptr += 4;
 
           cn = 0;
           for (; cn < user_comment_list_length; cn++) {
+            if (ptr > comments + block_length - 4)
+              return 0; /* too little left in the buffer */
+
             length = _X_LE_32(ptr);
             ptr += 4;
+            if (length >= block_length || ptr + length > comments + block_length)
+              return 0; /* bad length */
 
             comment = (char*) ptr;
             c = comment[length];
-            comment[length] = 0;
+            comment[length] = 0; /* NUL termination */
 
             lprintf ("comment[%02d] = %s\n", cn, comment);
 
@@ -248,8 +255,8 @@ static int open_flac_file(demux_flac_t *
           }
 
           if ((tracknumber > 0) && (tracktotal > 0)) {
-            char tn[16];
-            snprintf (tn, 16, "%02d/%02d", tracknumber, tracktotal);
+            char tn[24];
+            snprintf (tn, 24, "%02d/%02d", tracknumber, tracktotal);
             _x_meta_info_set(flac->stream, XINE_META_INFO_TRACK_NUMBER, tn);
           }
           else if (tracknumber > 0) {
* Fri Feb 8 2008 Ville Skyttä <ville.skytta at iki.fi> - 1.1.8-8 - Include ASF and FLAC comment security fixes from 1.1.10 and 1.1.10.1. 2008-02-08 20:38:56 +00:00			`diff -r 6cce4115cd7d -r 71d64201b47e src/demuxers/demux_flac.c`
			`--- a/src/demuxers/demux_flac.c Thu Feb 07 17:49:40 2008 +0000`
			`+++ b/src/demuxers/demux_flac.c Thu Feb 07 17:51:59 2008 +0000`
			`@@ -189,7 +189,7 @@ static int open_flac_file(demux_flac_t *`
			`case 4:`
			`lprintf ("VORBIS_COMMENT metadata\n");`
			`{`
			`- char comments[block_length];`
			`+ char comments[block_length + 1]; /* last byte for NUL termination */`
			`char *ptr = comments;`
			`uint32_t length, user_comment_list_length;`
			`int cn;`
			`@@ -202,18 +202,25 @@ static int open_flac_file(demux_flac_t *`

			`length = _X_LE_32(ptr);`
			`ptr += 4 + length;`
			`+ if (length >= block_length - 8)`
			`+ return 0; /* bad length or too little left in the buffer */`

			`user_comment_list_length = _X_LE_32(ptr);`
			`ptr += 4;`

			`cn = 0;`
			`for (; cn < user_comment_list_length; cn++) {`
			`+ if (ptr > comments + block_length - 4)`
			`+ return 0; /* too little left in the buffer */`
			`+`
			`length = _X_LE_32(ptr);`
			`ptr += 4;`
			`+ if (length >= block_length \|\| ptr + length > comments + block_length)`
			`+ return 0; /* bad length */`

			`comment = (char*) ptr;`
			`c = comment[length];`
			`- comment[length] = 0;`
			`+ comment[length] = 0; /* NUL termination */`

			`lprintf ("comment[%02d] = %s\n", cn, comment);`

			`@@ -248,8 +255,8 @@ static int open_flac_file(demux_flac_t *`
			`}`

			`if ((tracknumber > 0) && (tracktotal > 0)) {`
			`- char tn[16];`
			`- snprintf (tn, 16, "%02d/%02d", tracknumber, tracktotal);`
			`+ char tn[24];`
			`+ snprintf (tn, 24, "%02d/%02d", tracknumber, tracktotal);`
			`_x_meta_info_set(flac->stream, XINE_META_INFO_TRACK_NUMBER, tn);`
			`}`
			`else if (tracknumber > 0) {`