diff options
author | Debian Multimedia Maintainers <debian-multimedia@lists.debian.org> | 2020-11-13 21:27:34 -0500 |
---|---|---|
committer | Reinhard Tartler <siretart@tauware.de> | 2020-11-13 21:27:34 -0500 |
commit | 5effed60c94f524d8fa2bcb8ec557e70fda9e279 (patch) | |
tree | 2442eeb228d2567e57b6d282eb87b68b6365291c | |
parent | bcd71967012142ed5d86ecaf9cba98de471b8e6f (diff) |
CVE-2018-20762
commit 35ab4475a7df9b2a4bcab235e379c0c3ec543658
Author: Aurelien David <aurelien.david@telecom-paristech.fr>
Date: Fri Jan 11 11:32:54 2019 +0100
Description: CVE-2018-20762
fix some overflows due to strcpy
fixes #1184, #1186, #1187 among other things
Gbp-Pq: Name CVE-2018-20762.patch
-rw-r--r-- | applications/mp4box/fileimport.c | 20 | ||||
-rw-r--r-- | applications/mp4client/main.c | 33 | ||||
-rw-r--r-- | modules/ffmpeg_in/ffmpeg_demux.c | 7 | ||||
-rw-r--r-- | src/scene_manager/scene_manager.c | 4 |
4 files changed, 58 insertions, 6 deletions
diff --git a/applications/mp4box/fileimport.c b/applications/mp4box/fileimport.c index 437110b..e719924 100644 --- a/applications/mp4box/fileimport.c +++ b/applications/mp4box/fileimport.c @@ -2247,17 +2247,33 @@ GF_Err cat_multiple_files(GF_ISOFile *dest, char *fileName, u32 import_flags, Do cat_enum.align_timelines = align_timelines; cat_enum.allow_add_in_command = allow_add_in_command; + if (strlen(fileName) >= sizeof(cat_enum.szPath)) { + GF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, ("File name %s is too long.\n", fileName)); + return GF_NOT_SUPPORTED; + } strcpy(cat_enum.szPath, fileName); sep = strrchr(cat_enum.szPath, GF_PATH_SEPARATOR); if (!sep) sep = strrchr(cat_enum.szPath, '/'); if (!sep) { strcpy(cat_enum.szPath, "."); + if (strlen(fileName) >= sizeof(cat_enum.szRad1)) { + GF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, ("File name %s is too long.\n", fileName)); + return GF_NOT_SUPPORTED; + } strcpy(cat_enum.szRad1, fileName); } else { + if (strlen(sep + 1) >= sizeof(cat_enum.szRad1)) { + GF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, ("File name %s is too long.\n", (sep + 1))); + return GF_NOT_SUPPORTED; + } strcpy(cat_enum.szRad1, sep+1); sep[0] = 0; } sep = strchr(cat_enum.szRad1, '*'); + if (strlen(sep + 1) >= sizeof(cat_enum.szRad2)) { + GF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, ("File name %s is too long.\n", (sep + 1))); + return GF_NOT_SUPPORTED; + } strcpy(cat_enum.szRad2, sep+1); sep[0] = 0; sep = strchr(cat_enum.szRad2, '%'); @@ -2265,6 +2281,10 @@ GF_Err cat_multiple_files(GF_ISOFile *dest, char *fileName, u32 import_flags, Do if (!sep) sep = strchr(cat_enum.szRad2, ':'); strcpy(cat_enum.szOpt, ""); if (sep) { + if (strlen(sep) >= sizeof(cat_enum.szOpt)) { + GF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, ("Invalid option: %s.\n", sep)); + return GF_NOT_SUPPORTED; + } strcpy(cat_enum.szOpt, sep); sep[0] = 0; } diff --git a/applications/mp4client/main.c b/applications/mp4client/main.c index 397bf6c..63b4651 100644 --- a/applications/mp4client/main.c +++ b/applications/mp4client/main.c @@ -900,7 +900,8 @@ Bool GPAC_EventProc(void *ptr, GF_Event *evt) break; case GF_EVENT_NAVIGATE: if (gf_term_is_supported_url(term, evt->navigate.to_url, 1, no_mime_check)) { - strcpy(the_url, evt->navigate.to_url); + strncpy(the_url, evt->navigate.to_url, sizeof(the_url)-1); + the_url[sizeof(the_url) - 1] = 0; fprintf(stderr, "Navigating to URL %s\n", the_url); gf_term_navigate_to(term, evt->navigate.to_url); return 1; @@ -1089,6 +1090,11 @@ void set_cfg_option(char *opt_string) } { const size_t sepIdx = sep - opt_string; + if (sepIdx >= sizeof(szSec)) { + fprintf(stderr, "Badly formatted option %s - Section name is too long\n", opt_string); + return; + } + strncpy(szSec, opt_string, sepIdx); szSec[sepIdx] = 0; } @@ -1100,8 +1106,16 @@ void set_cfg_option(char *opt_string) } { const size_t sepIdx = sep2 - sep; + if (sepIdx >= sizeof(szKey)) { + fprintf(stderr, "Badly formatted option %s - key name is too long\n", opt_string); + return; + } strncpy(szKey, sep, sepIdx); szKey[sepIdx] = 0; + if (strlen(sep2 + 1) >= sizeof(szVal)) { + fprintf(stderr, "Badly formatted option %s - value is too long\n", opt_string); + return; + } strcpy(szVal, sep2+1); } @@ -1656,7 +1670,14 @@ int mp4client_main(int argc, char **argv) else if (!gui_mode && url_arg) { char *ext; - strcpy(the_url, url_arg); + if (strlen(url_arg) >= sizeof(the_url)) { + fprintf(stderr, "Input url %s is too long, truncating to %d chars.\n", url_arg, (int)(sizeof(the_url) - 1)); + strncpy(the_url, url_arg, sizeof(the_url)-1); + the_url[sizeof(the_url) - 1] = 0; + } + else { + strcpy(the_url, url_arg); + } ext = strrchr(the_url, '.'); if (ext && (!stricmp(ext, ".m3u") || !stricmp(ext, ".pls"))) { GF_Err e = GF_OK; @@ -1668,7 +1689,10 @@ int mp4client_main(int argc, char **argv) GF_DownloadSession *sess = gf_dm_sess_new(term->downloader, the_url, GF_NETIO_SESSION_NOT_THREADED, NULL, NULL, &e); if (sess) { e = gf_dm_sess_process(sess); - if (!e) strcpy(the_url, gf_dm_sess_get_cache_name(sess)); + if (!e) { + strncpy(the_url, gf_dm_sess_get_cache_name(sess), sizeof(the_url) - 1); + the_url[sizeof(the_cfg) - 1] = 0; + } gf_dm_sess_del(sess); } } @@ -1691,7 +1715,8 @@ int mp4client_main(int argc, char **argv) fprintf(stderr, "Hit 'h' for help\n\n"); str = gf_cfg_get_key(cfg_file, "General", "StartupFile"); if (str) { - strcpy(the_url, "MP4Client "GPAC_FULL_VERSION); + strncpy(the_url, "MP4Client "GPAC_FULL_VERSION , sizeof(the_url)-1); + the_url[sizeof(the_url) - 1] = 0; gf_term_connect(term, str); startup_file = 1; is_connected = 1; diff --git a/modules/ffmpeg_in/ffmpeg_demux.c b/modules/ffmpeg_in/ffmpeg_demux.c index a674c68..21826c3 100644 --- a/modules/ffmpeg_in/ffmpeg_demux.c +++ b/modules/ffmpeg_in/ffmpeg_demux.c @@ -227,7 +227,7 @@ static Bool FFD_CanHandleURL(GF_InputService *plug, const char *url) AVFormatContext *ctx; AVOutputFormat *fmt_out; Bool ret = GF_FALSE; - char *ext, szName[1000], szExt[20]; + char *ext, szName[1024], szExt[20]; const char *szExtList; FFDemux *ffd; if (!plug || !url) @@ -243,6 +243,9 @@ static Bool FFD_CanHandleURL(GF_InputService *plug, const char *url) ffd = (FFDemux*)plug->priv; + if (strlen(url) >= sizeof(szName)) + return GF_FALSE; + strcpy(szName, url); ext = strrchr(szName, '#'); if (ext) ext[0] = 0; @@ -252,7 +255,7 @@ static Bool FFD_CanHandleURL(GF_InputService *plug, const char *url) ext = strrchr(szName, '.'); if (ext && strlen(ext) > 19) ext = NULL; - if (ext && strlen(ext) > 1) { + if (ext && strlen(ext) > 1 && strlen(ext) <= sizeof(szExt)) { strcpy(szExt, &ext[1]); strlwr(szExt); #ifndef FFMPEG_DEMUX_ENABLE_MPEG2TS diff --git a/src/scene_manager/scene_manager.c b/src/scene_manager/scene_manager.c index 2638193..0cf297b 100644 --- a/src/scene_manager/scene_manager.c +++ b/src/scene_manager/scene_manager.c @@ -646,6 +646,10 @@ GF_Err gf_sm_load_init(GF_SceneLoader *load) ext[0] = '.'; ext = anext; } + if (strlen(ext) < 2 || strlen(ext) > sizeof(szExt)) { + GF_LOG(GF_LOG_ERROR, GF_LOG_SCENE, ("[Scene Manager] invalid extension in file name %s\n", load->fileName)); + return GF_NOT_SUPPORTED; + } strcpy(szExt, &ext[1]); strlwr(szExt); if (strstr(szExt, "bt")) load->type = GF_SM_LOAD_BT; |