[snip] > 2. Possible overflow in the HTTP header parser > Remote; possibly exploitable.
> This is an unchecked write past the end of a buffer which is used for > receiving HTTP data from a remote server. [snip] Buggy patch, noticed and fixed in CVS HEAD by Matthias Hopf. Fixed patch attached (basically, s/buflen/BUFSIZE/). -- | Darren Salt | linux or ds at | nr. Ashington, | Toon | RISC OS, Linux | youmustbejoking,demon,co,uk | Northumberland | Army | + Use more efficient products. Use less. BE MORE ENERGY EFFICIENT. The decision doesn't have to be logical; it was unanimous.
Index: xine-lib-1.1.2cvs20060328/src/input/input_http.c =================================================================== --- xine-lib-1.1.2cvs20060328.orig/src/input/input_http.c +++ xine-lib-1.1.2cvs20060328/src/input/input_http.c @@ -895,6 +895,12 @@ static int http_plugin_open (input_plugi len = 0; } else len ++; + if ( len >= BUFSIZE ) { + _x_message(this->stream, XINE_MSG_PERMISSION_ERROR, this->mrl, NULL); + xine_log (this->stream->xine, XINE_LOG_MSG, + _("input_http: buffer exhausted after %d bytes."), BUFSIZE); + return 0; + } } lprintf ("end of headers\n");