[snip]
> 2. Possible overflow in the HTTP header parser

> Remote; possibly exploitable.

> This is an unchecked write past the end of a buffer which is used for
> receiving HTTP data from a remote server.
[snip]

Buggy patch, noticed and fixed in CVS HEAD by Matthias Hopf. Fixed patch
attached (basically, s/buflen/BUFSIZE/).

-- 
| Darren Salt    | linux or ds at              | nr. Ashington, | Toon
| RISC OS, Linux | youmustbejoking,demon,co,uk | Northumberland | Army
| + Use more efficient products. Use less.          BE MORE ENERGY EFFICIENT.

The decision doesn't have to be logical; it was unanimous.
Index: xine-lib-1.1.2cvs20060328/src/input/input_http.c
===================================================================
--- xine-lib-1.1.2cvs20060328.orig/src/input/input_http.c
+++ xine-lib-1.1.2cvs20060328/src/input/input_http.c
@@ -895,6 +895,12 @@ static int http_plugin_open (input_plugi
        len = 0;
     } else
       len ++;
+    if ( len >= BUFSIZE ) {
+       _x_message(this->stream, XINE_MSG_PERMISSION_ERROR, this->mrl, NULL);
+       xine_log (this->stream->xine, XINE_LOG_MSG,
+         _("input_http: buffer exhausted after %d bytes."), BUFSIZE);
+       return 0;
+    }
   }
 
   lprintf ("end of headers\n");

Reply via email to