CVE-2018-20762

commit 35ab4475a7df9b2a4bcab235e379c0c3ec543658 Author: Aurelien David <aurelien.david@telecom-paristech.fr> Date: Fri Jan 11 11:32:54 2019 +0100 Description: CVE-2018-20762 fix some overflows due to strcpy fixes #1184, #1186, #1187 among other things Gbp-Pq: Name CVE-2018-20762.patch
author: Debian Multimedia Maintainers <debian-multimedia@lists.debian.org> 2020-11-13 21:27:34 -0500
committer: Reinhard Tartler <siretart@tauware.de> 2020-11-13 21:27:34 -0500
commit: 5effed60c94f524d8fa2bcb8ec557e70fda9e279 (patch)
tree: 2442eeb228d2567e57b6d282eb87b68b6365291c
parent: bcd71967012142ed5d86ecaf9cba98de471b8e6f (diff)
4 files changed, 58 insertions, 6 deletions
diff --git a/applications/mp4box/fileimport.c b/applications/mp4box/fileimport.c
index 437110b..e719924 100644
--- a/applications/mp4box/fileimport.c
+++ b/applications/mp4box/fileimport.c
@@ -2247,17 +2247,33 @@ GF_Err cat_multiple_files(GF_ISOFile *dest, char *fileName, u32 import_flags, Do
 	cat_enum.align_timelines = align_timelines;
 	cat_enum.allow_add_in_command = allow_add_in_command;
 
+	if (strlen(fileName) >= sizeof(cat_enum.szPath)) {
+		GF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, ("File name %s is too long.\n", fileName));
+		return GF_NOT_SUPPORTED;
+	}
 	strcpy(cat_enum.szPath, fileName);
 	sep = strrchr(cat_enum.szPath, GF_PATH_SEPARATOR);
 	if (!sep) sep = strrchr(cat_enum.szPath, '/');
 	if (!sep) {
 		strcpy(cat_enum.szPath, ".");
+		if (strlen(fileName) >= sizeof(cat_enum.szRad1)) {
+			GF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, ("File name %s is too long.\n", fileName));
+			return GF_NOT_SUPPORTED;
+		}
 		strcpy(cat_enum.szRad1, fileName);
 	} else {
+		if (strlen(sep + 1) >= sizeof(cat_enum.szRad1)) {
+			GF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, ("File name %s is too long.\n", (sep + 1)));
+			return GF_NOT_SUPPORTED;
+		}
 		strcpy(cat_enum.szRad1, sep+1);
 		sep[0] = 0;
 	}
 	sep = strchr(cat_enum.szRad1, '*');
+	if (strlen(sep + 1) >= sizeof(cat_enum.szRad2)) {
+		GF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, ("File name %s is too long.\n", (sep + 1)));
+		return GF_NOT_SUPPORTED;
+	}
 	strcpy(cat_enum.szRad2, sep+1);
 	sep[0] = 0;
 	sep = strchr(cat_enum.szRad2, '%');
@@ -2265,6 +2281,10 @@ GF_Err cat_multiple_files(GF_ISOFile *dest, char *fileName, u32 import_flags, Do
 	if (!sep) sep = strchr(cat_enum.szRad2, ':');
 	strcpy(cat_enum.szOpt, "");
 	if (sep) {
+		if (strlen(sep) >= sizeof(cat_enum.szOpt)) {
+			GF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, ("Invalid option: %s.\n", sep));
+			return GF_NOT_SUPPORTED;
+		}
 		strcpy(cat_enum.szOpt, sep);
 		sep[0] = 0;
 	}
diff --git a/applications/mp4client/main.c b/applications/mp4client/main.c
index 397bf6c..63b4651 100644
--- a/applications/mp4client/main.c
+++ b/applications/mp4client/main.c
@@ -900,7 +900,8 @@ Bool GPAC_EventProc(void *ptr, GF_Event *evt)
 		break;
 	case GF_EVENT_NAVIGATE:
 		if (gf_term_is_supported_url(term, evt->navigate.to_url, 1, no_mime_check)) {
-			strcpy(the_url, evt->navigate.to_url);
+			strncpy(the_url, evt->navigate.to_url, sizeof(the_url)-1);
+			the_url[sizeof(the_url) - 1] = 0;
 			fprintf(stderr, "Navigating to URL %s\n", the_url);
 			gf_term_navigate_to(term, evt->navigate.to_url);
 			return 1;
@@ -1089,6 +1090,11 @@ void set_cfg_option(char *opt_string)
 	}
 	{
 		const size_t sepIdx = sep - opt_string;
+		if (sepIdx >= sizeof(szSec)) {
+			fprintf(stderr, "Badly formatted option %s - Section name is too long\n", opt_string);
+			return;
+		}
+
 		strncpy(szSec, opt_string, sepIdx);
 		szSec[sepIdx] = 0;
 	}
@@ -1100,8 +1106,16 @@ void set_cfg_option(char *opt_string)
 	}
 	{
 		const size_t sepIdx = sep2 - sep;
+		if (sepIdx >= sizeof(szKey)) {
+			fprintf(stderr, "Badly formatted option %s - key name is too long\n", opt_string);
+			return;
+		}
 		strncpy(szKey, sep, sepIdx);
 		szKey[sepIdx] = 0;
+		if (strlen(sep2 + 1) >= sizeof(szVal)) {
+			fprintf(stderr, "Badly formatted option %s - value is too long\n", opt_string);
+			return;
+		}
 		strcpy(szVal, sep2+1);
 	}
 
@@ -1656,7 +1670,14 @@ int mp4client_main(int argc, char **argv)
 	else if (!gui_mode && url_arg) {
 		char *ext;
 
-		strcpy(the_url, url_arg);
+		if (strlen(url_arg) >= sizeof(the_url)) {
+			fprintf(stderr, "Input url %s is too long, truncating to %d chars.\n", url_arg, (int)(sizeof(the_url) - 1));
+			strncpy(the_url, url_arg, sizeof(the_url)-1);
+			the_url[sizeof(the_url) - 1] = 0;
+		}
+		else {
+			strcpy(the_url, url_arg);
+		}
 		ext = strrchr(the_url, '.');
 		if (ext && (!stricmp(ext, ".m3u") || !stricmp(ext, ".pls"))) {
 			GF_Err e = GF_OK;
@@ -1668,7 +1689,10 @@ int mp4client_main(int argc, char **argv)
 				GF_DownloadSession *sess = gf_dm_sess_new(term->downloader, the_url, GF_NETIO_SESSION_NOT_THREADED, NULL, NULL, &e);
 				if (sess) {
 					e = gf_dm_sess_process(sess);
-					if (!e) strcpy(the_url, gf_dm_sess_get_cache_name(sess));
+					if (!e) {
+						strncpy(the_url, gf_dm_sess_get_cache_name(sess), sizeof(the_url) - 1);
+						the_url[sizeof(the_cfg) - 1] = 0;
+					}
 					gf_dm_sess_del(sess);
 				}
 			}
@@ -1691,7 +1715,8 @@ int mp4client_main(int argc, char **argv)
 		fprintf(stderr, "Hit 'h' for help\n\n");
 		str = gf_cfg_get_key(cfg_file, "General", "StartupFile");
 		if (str) {
-			strcpy(the_url, "MP4Client "GPAC_FULL_VERSION);
+			strncpy(the_url, "MP4Client "GPAC_FULL_VERSION , sizeof(the_url)-1);
+			the_url[sizeof(the_url) - 1] = 0;
 			gf_term_connect(term, str);
 			startup_file = 1;
 			is_connected = 1;
diff --git a/modules/ffmpeg_in/ffmpeg_demux.c b/modules/ffmpeg_in/ffmpeg_demux.c
index a674c68..21826c3 100644
--- a/modules/ffmpeg_in/ffmpeg_demux.c
+++ b/modules/ffmpeg_in/ffmpeg_demux.c
@@ -227,7 +227,7 @@ static Bool FFD_CanHandleURL(GF_InputService *plug, const char *url)
 	AVFormatContext *ctx;
 	AVOutputFormat *fmt_out;
 	Bool ret = GF_FALSE;
-	char *ext, szName[1000], szExt[20];
+	char *ext, szName[1024], szExt[20];
 	const char *szExtList;
 	FFDemux *ffd;
 	if (!plug || !url)
@@ -243,6 +243,9 @@ static Bool FFD_CanHandleURL(GF_InputService *plug, const char *url)
 
 	ffd = (FFDemux*)plug->priv;
 
+	if (strlen(url) >= sizeof(szName))
+		return GF_FALSE;
+
 	strcpy(szName, url);
 	ext = strrchr(szName, '#');
 	if (ext) ext[0] = 0;
@@ -252,7 +255,7 @@ static Bool FFD_CanHandleURL(GF_InputService *plug, const char *url)
 	ext = strrchr(szName, '.');
 	if (ext && strlen(ext) > 19) ext = NULL;
 
-	if (ext && strlen(ext) > 1) {
+	if (ext && strlen(ext) > 1 && strlen(ext) <= sizeof(szExt)) {
 		strcpy(szExt, &ext[1]);
 		strlwr(szExt);
 #ifndef FFMPEG_DEMUX_ENABLE_MPEG2TS
diff --git a/src/scene_manager/scene_manager.c b/src/scene_manager/scene_manager.c
index 2638193..0cf297b 100644
--- a/src/scene_manager/scene_manager.c
+++ b/src/scene_manager/scene_manager.c
@@ -646,6 +646,10 @@ GF_Err gf_sm_load_init(GF_SceneLoader *load)
 				ext[0] = '.';
 				ext = anext;
 			}
+			if (strlen(ext) < 2 || strlen(ext) > sizeof(szExt)) {
+				GF_LOG(GF_LOG_ERROR, GF_LOG_SCENE, ("[Scene Manager] invalid extension in file name %s\n", load->fileName));
+				return GF_NOT_SUPPORTED;
+			}
 			strcpy(szExt, &ext[1]);
 			strlwr(szExt);
 			if (strstr(szExt, "bt")) load->type = GF_SM_LOAD_BT;
author	Debian Multimedia Maintainers <debian-multimedia@lists.debian.org>	2020-11-13 21:27:34 -0500
committer	Reinhard Tartler <siretart@tauware.de>	2020-11-13 21:27:34 -0500
commit	5effed60c94f524d8fa2bcb8ec557e70fda9e279 (patch)
tree	2442eeb228d2567e57b6d282eb87b68b6365291c
parent	bcd71967012142ed5d86ecaf9cba98de471b8e6f (diff)