[snip]
> 2. Possible overflow in the HTTP header parser
> Remote; possibly exploitable.
> This is an unchecked write past the end of a buffer which is used for
> receiving HTTP data from a remote server.
[snip]
Buggy patch, noticed and fixed in CVS HEAD by Matthias Hopf. Fixed patch
attached (basically, s/buflen/BUFSIZE/).
--
| Darren Salt | linux or ds at | nr. Ashington, | Toon
| RISC OS, Linux | youmustbejoking,demon,co,uk | Northumberland | Army
| + Use more efficient products. Use less. BE MORE ENERGY EFFICIENT.
The decision doesn't have to be logical; it was unanimous.
Index: xine-lib-1.1.2cvs20060328/src/input/input_http.c
===================================================================
--- xine-lib-1.1.2cvs20060328.orig/src/input/input_http.c
+++ xine-lib-1.1.2cvs20060328/src/input/input_http.c
@@ -895,6 +895,12 @@ static int http_plugin_open (input_plugi
len = 0;
} else
len ++;
+ if ( len >= BUFSIZE ) {
+ _x_message(this->stream, XINE_MSG_PERMISSION_ERROR, this->mrl, NULL);
+ xine_log (this->stream->xine, XINE_LOG_MSG,
+ _("input_http: buffer exhausted after %d bytes."), BUFSIZE);
+ return 0;
+ }
}
lprintf ("end of headers\n");
