Fix for [oCERT-2008-004] multiple speex implementations insufficient boundary checks...

diff --git a/THANKS b/THANKS
index f32bb99caa2a1dec5e40b3750c3c5be5cb682e57..56b9cad5c3e6b1c37d75bd23a7ae3a9e5740fd39 100644 (file)
--- a/THANKS
+++ b/THANKS
@@ -78,6 +78,7 @@ Dylan Yudaken <dyudaken -- gmail # com> - hotkeys patch
 Emmanuel Blindauer <manu at agat.net> - aRts audio output
 Enrico Gueli <e_gueli at yahoo.it> - Brightness threshold in adjust video filter
 Enrique Osuna <enrique.osuna at gmail.com> - Various bug fixes in libvlc. Major Mac OS X Framework improvements.
+Eren Türkay <turkay dot eren \a/ gmail point com> - Speex boundary checks and security fix
 Espen Skoglund <esk at ira.uka.de> - FreeBSD autoconf and Makefile patches
 Ethan C. Baldridge <BaldridgeE at cadmus.com> - directory browsing code
 Eurodata Computer Club <retron.info> - VLC icon design (v0.8.4)

diff --git a/modules/codec/speex.c b/modules/codec/speex.c
index d563245354520c0494483b2c2864a031b6656268..83890bbfd615920c33a21a8173c24526511062ac 100644 (file)
--- a/modules/codec/speex.c
+++ b/modules/codec/speex.c
@@ -357,7 +357,7 @@ static int ProcessInitialHeader( decoder_t *p_dec, ogg_packet *p_oggpacket )
         msg_Err( p_dec, "cannot read Speex header" );
         return VLC_EGENERIC;
     }
-    if( p_header->mode >= SPEEX_NB_MODES )
+    if( p_header->mode >= SPEEX_NB_MODES || p_header->mode < 0 )
     {
         msg_Err( p_dec, "mode number %d does not (yet/any longer) exist in "
                  "this version of libspeex.", p_header->mode );