From 6b963e139d2769b167b333c220c7d5756d353ef1 Mon Sep 17 00:00:00 2001 From: Alessio Treglia Date: Sat, 13 Apr 2019 16:52:04 -0400 Subject: Add -O2 to CFLAGS by default, -O0 if noopt is set. Forwarded: not-needed Forwarded: not-needed Gbp-Pq: Name gcc-optflags.patch --- configure | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/configure b/configure index 485bfe2..adab0ca 100755 --- a/configure +++ b/configure @@ -360,7 +360,7 @@ for opt do ;; --cpu=*) cpu=`echo $opt | cut -d '=' -f 2` ;; - --enable-debug) debuginfo="yes"; no_gcc_opt="yes" + --enable-debug) debuginfo="yes"; ;; --disable-opt) no_gcc_opt="yes" ;; @@ -708,7 +708,7 @@ fi #GCC opt if test "$no_gcc_opt" = "no"; then - CFLAGS="-O3 $CFLAGS" + CFLAGS="-O2 $CFLAGS" else CFLAGS="-O0 $CFLAGS" fi -- cgit v1.2.3 From 0f3bb0bfe881068646bccaf632ea075ffbe3ecf0 Mon Sep 17 00:00:00 2001 From: Balint Reczey Date: Sat, 13 Apr 2019 16:52:04 -0400 Subject: Don't fail build intentionally on unknown systems Gbp-Pq: Name dont-err-build-on-uknown-system.patch --- include/gpac/configuration.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/include/gpac/configuration.h b/include/gpac/configuration.h index ad70bb8..6b1f2b2 100644 --- a/include/gpac/configuration.h +++ b/include/gpac/configuration.h @@ -159,8 +159,8 @@ #define GPAC_HAS_JPEG #define GPAC_HAS_PNG -#else -#error "Unknown target platform used with static configuration file" +//#else +//#error "Unknown target platform used with static configuration file" #endif -- cgit v1.2.3 From b8bf794772bfb58bf4139bb95794c8ceec322c42 Mon Sep 17 00:00:00 2001 From: James Cowgill Date: Sat, 13 Apr 2019 16:52:04 -0400 Subject: Fix FTBFS with FFmpeg 4.0 Bug: https://github.com/gpac/gpac/pull/1063 Bug-Debian: https://bugs.debian.org/888343 Bug-Debian: https://bugs.debian.org/888343 Gbp-Pq: Name ffmpeg_4.patch --- applications/dashcast/video_encoder.c | 2 +- modules/ffmpeg_in/ffmpeg_decode.c | 6 +++--- modules/redirect_av/ffmpeg_ts_muxer.c | 4 ++-- modules/redirect_av/redirect_av.c | 2 +- 4 files changed, 7 insertions(+), 7 deletions(-) diff --git a/applications/dashcast/video_encoder.c b/applications/dashcast/video_encoder.c index 875e0bd..737c24d 100644 --- a/applications/dashcast/video_encoder.c +++ b/applications/dashcast/video_encoder.c @@ -144,7 +144,7 @@ int dc_video_encoder_open(VideoOutputFile *video_output_file, VideoDataConf *vid } //the global header gives access to the extradata (SPS/PPS) - video_output_file->codec_ctx->flags |= CODEC_FLAG_GLOBAL_HEADER; + video_output_file->codec_ctx->flags |= AV_CODEC_FLAG_GLOBAL_HEADER; video_output_file->vstream_idx = 0;//video_stream->index; diff --git a/modules/ffmpeg_in/ffmpeg_decode.c b/modules/ffmpeg_in/ffmpeg_decode.c index d76091d..3a33300 100644 --- a/modules/ffmpeg_in/ffmpeg_decode.c +++ b/modules/ffmpeg_in/ffmpeg_decode.c @@ -49,7 +49,7 @@ static uint8_t * ffmpeg_realloc_buffer(uint8_t * oldBuffer, u32 size) { uint8_t * buffer; /* Size of buffer must be larger, see avcodec_decode_video2 documentation */ - u32 allocatedSz = sizeof( char ) * (FF_INPUT_BUFFER_PADDING_SIZE + size); + u32 allocatedSz = sizeof( char ) * (AV_INPUT_BUFFER_PADDING_SIZE + size); if (oldBuffer) gf_free(oldBuffer); buffer = (uint8_t*)gf_malloc( allocatedSz ); @@ -577,7 +577,7 @@ static GF_Err FFDEC_GetCapabilities(GF_BaseDecoder *plug, GF_CodecCapability *ca capability->cap.valueInt = 1; return GF_OK; case GF_CODEC_PADDING_BYTES: - capability->cap.valueInt = FF_INPUT_BUFFER_PADDING_SIZE; + capability->cap.valueInt = AV_INPUT_BUFFER_PADDING_SIZE; return GF_OK; case GF_CODEC_REORDER: capability->cap.valueInt = 1; @@ -669,7 +669,7 @@ static GF_Err FFDEC_GetCapabilities(GF_BaseDecoder *plug, GF_CodecCapability *ca break; case GF_CODEC_PADDING_BYTES: - capability->cap.valueInt = FF_INPUT_BUFFER_PADDING_SIZE; + capability->cap.valueInt = AV_INPUT_BUFFER_PADDING_SIZE; break; default: capability->cap.valueInt = 0; diff --git a/modules/redirect_av/ffmpeg_ts_muxer.c b/modules/redirect_av/ffmpeg_ts_muxer.c index e325e19..a470cbb 100644 --- a/modules/redirect_av/ffmpeg_ts_muxer.c +++ b/modules/redirect_av/ffmpeg_ts_muxer.c @@ -201,7 +201,7 @@ GF_AbstractTSMuxer * ts_amux_new(GF_AVRedirect * avr, u32 videoBitrateInBitsPerS c->time_base.den = 1000; // some formats want stream headers to be separate if (ts->oc->oformat->flags & AVFMT_GLOBALHEADER) - c->flags |= CODEC_FLAG_GLOBAL_HEADER; + c->flags |= AV_CODEC_FLAG_GLOBAL_HEADER; } #endif @@ -240,7 +240,7 @@ GF_AbstractTSMuxer * ts_amux_new(GF_AVRedirect * avr, u32 videoBitrateInBitsPerS } // some formats want stream headers to be separate if (ts->oc->oformat->flags & AVFMT_GLOBALHEADER) - c->flags |= CODEC_FLAG_GLOBAL_HEADER; + c->flags |= AV_CODEC_FLAG_GLOBAL_HEADER; } //av_set_pts_info(ts->audio_st, 33, 1, audioBitRateInBitsPerSec); diff --git a/modules/redirect_av/redirect_av.c b/modules/redirect_av/redirect_av.c index 5d3148b..7388df0 100644 --- a/modules/redirect_av/redirect_av.c +++ b/modules/redirect_av/redirect_av.c @@ -133,7 +133,7 @@ static u32 audio_encoding_thread_run(void *param) AVCodecContext * ctx = NULL; assert( avr ); - outBuffSize = FF_MIN_BUFFER_SIZE; + outBuffSize = AV_INPUT_BUFFER_MIN_SIZE; outBuff = (u8*)gf_malloc(outBuffSize* sizeof(u8)); inBuff = NULL; -- cgit v1.2.3 From ff1e09227854cc48f6f0f55ecfbf28d63799d802 Mon Sep 17 00:00:00 2001 From: Debian Multimedia Maintainers Date: Sat, 13 Apr 2019 16:52:04 -0400 Subject: fix_makefile_install Gbp-Pq: Name fix_makefile_install.patch --- Makefile | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/Makefile b/Makefile index 9849173..9efa741 100644 --- a/Makefile +++ b/Makefile @@ -140,6 +140,7 @@ ifneq ($(MP4BOX_STATIC),yes) endif $(INSTALL) -d "$(DESTDIR)$(mandir)" $(INSTALL) -d "$(DESTDIR)$(mandir)/man1" + $(INSTALL) $(INSTFLAGS) -m 644 $(SRC_PATH)/doc/man/mp42ts.1 $(DESTDIR)$(mandir)/man1/MP42TS.1 $(INSTALL) $(INSTFLAGS) -m 644 $(SRC_PATH)/doc/man/mp4box.1 $(DESTDIR)$(mandir)/man1/ $(INSTALL) $(INSTFLAGS) -m 644 $(SRC_PATH)/doc/man/mp4client.1 $(DESTDIR)$(mandir)/man1/ $(INSTALL) $(INSTFLAGS) -m 644 $(SRC_PATH)/doc/man/gpac.1 $(DESTDIR)$(mandir)/man1/ @@ -149,7 +150,7 @@ endif $(INSTALL) $(INSTFLAGS) -m 644 $(SRC_PATH)/gui/gui.bt "$(DESTDIR)$(prefix)/share/gpac/gui/" $(INSTALL) $(INSTFLAGS) -m 644 $(SRC_PATH)/gui/gui.js "$(DESTDIR)$(prefix)/share/gpac/gui/" $(INSTALL) $(INSTFLAGS) -m 644 $(SRC_PATH)/gui/gwlib.js "$(DESTDIR)$(prefix)/share/gpac/gui/" - $(INSTALL) $(INSTFLAGS) -m 644 $(SRC_PATH)/gui/mpegu-core.js "$(DESTDIR)$(prefix)/share/gpac/gui/" + -$(INSTALL) $(INSTFLAGS) -m 644 $(SRC_PATH)/gui/mpegu-core.js "$(DESTDIR)$(prefix)/share/gpac/gui/" $(INSTALL) $(INSTFLAGS) -m 644 $(SRC_PATH)/gui/webvtt-renderer.js "$(DESTDIR)$(prefix)/share/gpac/gui/" $(INSTALL) -d "$(DESTDIR)$(prefix)/share/gpac/gui/icons" $(INSTALL) -d "$(DESTDIR)$(prefix)/share/gpac/gui/extensions" -- cgit v1.2.3 From 3ecdf3d92cae45871282bd695aed7011d4ef90ee Mon Sep 17 00:00:00 2001 From: Aurelien David Date: Tue, 6 Mar 2018 11:23:31 +0100 Subject: CVE-2018-7752 Upstream: commit 90dc7f853d31b0a4e9441cba97feccf36d8b69a4 fix some exploitable overflows (#994, #997) Gbp-Pq: Name CVE-2018-7752.patch --- include/gpac/tools.h | 1 + src/isomedia/avc_ext.c | 2 ++ src/media_tools/av_parsers.c | 4 ++++ 3 files changed, 7 insertions(+) diff --git a/include/gpac/tools.h b/include/gpac/tools.h index a799f8c..44affa6 100644 --- a/include/gpac/tools.h +++ b/include/gpac/tools.h @@ -1067,6 +1067,7 @@ void gf_fm_request_call(u32 type, u32 param, int *value); /* \endcond */ +#define ARRAY_LENGTH(a) (sizeof(a) / sizeof((a)[0])) #ifdef __cplusplus } diff --git a/src/isomedia/avc_ext.c b/src/isomedia/avc_ext.c index 933ef5a..cc78cd5 100644 --- a/src/isomedia/avc_ext.c +++ b/src/isomedia/avc_ext.c @@ -2361,6 +2361,8 @@ GF_Err gf_isom_oinf_read_entry(void *entry, GF_BitStream *bs) op->output_layer_set_idx = gf_bs_read_u16(bs); op->max_temporal_id = gf_bs_read_u8(bs); op->layer_count = gf_bs_read_u8(bs); + if (op->layer_count > ARRAY_LENGTH(op->layers_info)) + return GF_NON_COMPLIANT_BITSTREAM; for (j = 0; j < op->layer_count; j++) { op->layers_info[j].ptl_idx = gf_bs_read_u8(bs); op->layers_info[j].layer_id = gf_bs_read_int(bs, 6); diff --git a/src/media_tools/av_parsers.c b/src/media_tools/av_parsers.c index 9cb8d13..d5a9810 100644 --- a/src/media_tools/av_parsers.c +++ b/src/media_tools/av_parsers.c @@ -2386,6 +2386,10 @@ s32 gf_media_avc_read_sps(const char *sps_data, u32 sps_size, AVCState *avc, u32 sps->offset_for_non_ref_pic = bs_get_se(bs); sps->offset_for_top_to_bottom_field = bs_get_se(bs); sps->poc_cycle_length = bs_get_ue(bs); + if (sps->poc_cycle_length > ARRAY_LENGTH(sps->offset_for_ref_frame)) { + GF_LOG(GF_LOG_ERROR, GF_LOG_CODING, ("[avc-h264] offset_for_ref_frame overflow from poc_cycle_length\n")); + goto exit; + } for(i=0; ipoc_cycle_length; i++) sps->offset_for_ref_frame[i] = bs_get_se(bs); } if (sps->poc_type > 2) { -- cgit v1.2.3 From 892098a07af14a138e34e07e9de646eb8a4a2ee4 Mon Sep 17 00:00:00 2001 From: Debian Multimedia Maintainers Date: Sat, 13 Apr 2019 16:52:04 -0400 Subject: CVE-2018-20762 commit 35ab4475a7df9b2a4bcab235e379c0c3ec543658 Author: Aurelien David Date: Fri Jan 11 11:32:54 2019 +0100 Description: CVE-2018-20762 fix some overflows due to strcpy fixes #1184, #1186, #1187 among other things Gbp-Pq: Name CVE-2018-20762.patch --- applications/mp4box/fileimport.c | 20 ++++++++++++++++++++ applications/mp4client/main.c | 33 +++++++++++++++++++++++++++++---- modules/ffmpeg_in/ffmpeg_demux.c | 7 +++++-- src/scene_manager/scene_manager.c | 4 ++++ 4 files changed, 58 insertions(+), 6 deletions(-) diff --git a/applications/mp4box/fileimport.c b/applications/mp4box/fileimport.c index 437110b..e719924 100644 --- a/applications/mp4box/fileimport.c +++ b/applications/mp4box/fileimport.c @@ -2247,17 +2247,33 @@ GF_Err cat_multiple_files(GF_ISOFile *dest, char *fileName, u32 import_flags, Do cat_enum.align_timelines = align_timelines; cat_enum.allow_add_in_command = allow_add_in_command; + if (strlen(fileName) >= sizeof(cat_enum.szPath)) { + GF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, ("File name %s is too long.\n", fileName)); + return GF_NOT_SUPPORTED; + } strcpy(cat_enum.szPath, fileName); sep = strrchr(cat_enum.szPath, GF_PATH_SEPARATOR); if (!sep) sep = strrchr(cat_enum.szPath, '/'); if (!sep) { strcpy(cat_enum.szPath, "."); + if (strlen(fileName) >= sizeof(cat_enum.szRad1)) { + GF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, ("File name %s is too long.\n", fileName)); + return GF_NOT_SUPPORTED; + } strcpy(cat_enum.szRad1, fileName); } else { + if (strlen(sep + 1) >= sizeof(cat_enum.szRad1)) { + GF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, ("File name %s is too long.\n", (sep + 1))); + return GF_NOT_SUPPORTED; + } strcpy(cat_enum.szRad1, sep+1); sep[0] = 0; } sep = strchr(cat_enum.szRad1, '*'); + if (strlen(sep + 1) >= sizeof(cat_enum.szRad2)) { + GF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, ("File name %s is too long.\n", (sep + 1))); + return GF_NOT_SUPPORTED; + } strcpy(cat_enum.szRad2, sep+1); sep[0] = 0; sep = strchr(cat_enum.szRad2, '%'); @@ -2265,6 +2281,10 @@ GF_Err cat_multiple_files(GF_ISOFile *dest, char *fileName, u32 import_flags, Do if (!sep) sep = strchr(cat_enum.szRad2, ':'); strcpy(cat_enum.szOpt, ""); if (sep) { + if (strlen(sep) >= sizeof(cat_enum.szOpt)) { + GF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, ("Invalid option: %s.\n", sep)); + return GF_NOT_SUPPORTED; + } strcpy(cat_enum.szOpt, sep); sep[0] = 0; } diff --git a/applications/mp4client/main.c b/applications/mp4client/main.c index 397bf6c..63b4651 100644 --- a/applications/mp4client/main.c +++ b/applications/mp4client/main.c @@ -900,7 +900,8 @@ Bool GPAC_EventProc(void *ptr, GF_Event *evt) break; case GF_EVENT_NAVIGATE: if (gf_term_is_supported_url(term, evt->navigate.to_url, 1, no_mime_check)) { - strcpy(the_url, evt->navigate.to_url); + strncpy(the_url, evt->navigate.to_url, sizeof(the_url)-1); + the_url[sizeof(the_url) - 1] = 0; fprintf(stderr, "Navigating to URL %s\n", the_url); gf_term_navigate_to(term, evt->navigate.to_url); return 1; @@ -1089,6 +1090,11 @@ void set_cfg_option(char *opt_string) } { const size_t sepIdx = sep - opt_string; + if (sepIdx >= sizeof(szSec)) { + fprintf(stderr, "Badly formatted option %s - Section name is too long\n", opt_string); + return; + } + strncpy(szSec, opt_string, sepIdx); szSec[sepIdx] = 0; } @@ -1100,8 +1106,16 @@ void set_cfg_option(char *opt_string) } { const size_t sepIdx = sep2 - sep; + if (sepIdx >= sizeof(szKey)) { + fprintf(stderr, "Badly formatted option %s - key name is too long\n", opt_string); + return; + } strncpy(szKey, sep, sepIdx); szKey[sepIdx] = 0; + if (strlen(sep2 + 1) >= sizeof(szVal)) { + fprintf(stderr, "Badly formatted option %s - value is too long\n", opt_string); + return; + } strcpy(szVal, sep2+1); } @@ -1656,7 +1670,14 @@ int mp4client_main(int argc, char **argv) else if (!gui_mode && url_arg) { char *ext; - strcpy(the_url, url_arg); + if (strlen(url_arg) >= sizeof(the_url)) { + fprintf(stderr, "Input url %s is too long, truncating to %d chars.\n", url_arg, (int)(sizeof(the_url) - 1)); + strncpy(the_url, url_arg, sizeof(the_url)-1); + the_url[sizeof(the_url) - 1] = 0; + } + else { + strcpy(the_url, url_arg); + } ext = strrchr(the_url, '.'); if (ext && (!stricmp(ext, ".m3u") || !stricmp(ext, ".pls"))) { GF_Err e = GF_OK; @@ -1668,7 +1689,10 @@ int mp4client_main(int argc, char **argv) GF_DownloadSession *sess = gf_dm_sess_new(term->downloader, the_url, GF_NETIO_SESSION_NOT_THREADED, NULL, NULL, &e); if (sess) { e = gf_dm_sess_process(sess); - if (!e) strcpy(the_url, gf_dm_sess_get_cache_name(sess)); + if (!e) { + strncpy(the_url, gf_dm_sess_get_cache_name(sess), sizeof(the_url) - 1); + the_url[sizeof(the_cfg) - 1] = 0; + } gf_dm_sess_del(sess); } } @@ -1691,7 +1715,8 @@ int mp4client_main(int argc, char **argv) fprintf(stderr, "Hit 'h' for help\n\n"); str = gf_cfg_get_key(cfg_file, "General", "StartupFile"); if (str) { - strcpy(the_url, "MP4Client "GPAC_FULL_VERSION); + strncpy(the_url, "MP4Client "GPAC_FULL_VERSION , sizeof(the_url)-1); + the_url[sizeof(the_url) - 1] = 0; gf_term_connect(term, str); startup_file = 1; is_connected = 1; diff --git a/modules/ffmpeg_in/ffmpeg_demux.c b/modules/ffmpeg_in/ffmpeg_demux.c index a674c68..21826c3 100644 --- a/modules/ffmpeg_in/ffmpeg_demux.c +++ b/modules/ffmpeg_in/ffmpeg_demux.c @@ -227,7 +227,7 @@ static Bool FFD_CanHandleURL(GF_InputService *plug, const char *url) AVFormatContext *ctx; AVOutputFormat *fmt_out; Bool ret = GF_FALSE; - char *ext, szName[1000], szExt[20]; + char *ext, szName[1024], szExt[20]; const char *szExtList; FFDemux *ffd; if (!plug || !url) @@ -243,6 +243,9 @@ static Bool FFD_CanHandleURL(GF_InputService *plug, const char *url) ffd = (FFDemux*)plug->priv; + if (strlen(url) >= sizeof(szName)) + return GF_FALSE; + strcpy(szName, url); ext = strrchr(szName, '#'); if (ext) ext[0] = 0; @@ -252,7 +255,7 @@ static Bool FFD_CanHandleURL(GF_InputService *plug, const char *url) ext = strrchr(szName, '.'); if (ext && strlen(ext) > 19) ext = NULL; - if (ext && strlen(ext) > 1) { + if (ext && strlen(ext) > 1 && strlen(ext) <= sizeof(szExt)) { strcpy(szExt, &ext[1]); strlwr(szExt); #ifndef FFMPEG_DEMUX_ENABLE_MPEG2TS diff --git a/src/scene_manager/scene_manager.c b/src/scene_manager/scene_manager.c index 2638193..0cf297b 100644 --- a/src/scene_manager/scene_manager.c +++ b/src/scene_manager/scene_manager.c @@ -646,6 +646,10 @@ GF_Err gf_sm_load_init(GF_SceneLoader *load) ext[0] = '.'; ext = anext; } + if (strlen(ext) < 2 || strlen(ext) > sizeof(szExt)) { + GF_LOG(GF_LOG_ERROR, GF_LOG_SCENE, ("[Scene Manager] invalid extension in file name %s\n", load->fileName)); + return GF_NOT_SUPPORTED; + } strcpy(szExt, &ext[1]); strlwr(szExt); if (strstr(szExt, "bt")) load->type = GF_SM_LOAD_BT; -- cgit v1.2.3 From 0c0f426bd5a1df8839369d39ec0f836c88378878 Mon Sep 17 00:00:00 2001 From: Debian Multimedia Maintainers Date: Sat, 13 Apr 2019 16:52:04 -0400 Subject: CVE-2018-20763 commit 1c449a34fe0b50aaffb881bfb9d7c5ab0bb18cdd Author: Aurelien David Date: Fri Jan 11 14:05:16 2019 +0100 Description: CVE-2018-20763 add some boundary checks on gf_text_get_utf8_line (#1188) Gbp-Pq: Name CVE-2018-20763.patch --- src/media_tools/text_import.c | 77 +++++++++++++++++++++++++++++-------------- 1 file changed, 52 insertions(+), 25 deletions(-) diff --git a/src/media_tools/text_import.c b/src/media_tools/text_import.c index cd43e10..9f6fb10 100644 --- a/src/media_tools/text_import.c +++ b/src/media_tools/text_import.c @@ -201,49 +201,76 @@ char *gf_text_get_utf8_line(char *szLine, u32 lineSize, FILE *txt_in, s32 unicod if (unicode_type<=1) { j=0; len = (u32) strlen(szLine); - for (i=0; i> 6) & 0x3 ); - j++; - szLine[i] &= 0xbf; + if (j + 1 < sizeof(szLineConv) - 1) { + szLineConv[j] = 0xc0 | ((szLine[i] >> 6) & 0x3); + j++; + szLine[i] &= 0xbf; + } + else + break; } /*UTF8 2 bytes char*/ else if ( (szLine[i] & 0xe0) == 0xc0) { - szLineConv[j] = szLine[i]; - i++; - j++; + + // don't cut multibyte in the middle in there is no more room in dest + if (j + 1 < sizeof(szLineConv) - 1 && i + 1 < len) { + szLineConv[j] = szLine[i]; + i++; + j++; + } + else { + break; + } } /*UTF8 3 bytes char*/ else if ( (szLine[i] & 0xf0) == 0xe0) { - szLineConv[j] = szLine[i]; - i++; - j++; - szLineConv[j] = szLine[i]; - i++; - j++; + if (j + 2 < sizeof(szLineConv) - 1 && i + 2 < len) { + szLineConv[j] = szLine[i]; + i++; + j++; + szLineConv[j] = szLine[i]; + i++; + j++; + } + else { + break; + } } /*UTF8 4 bytes char*/ else if ( (szLine[i] & 0xf8) == 0xf0) { - szLineConv[j] = szLine[i]; - i++; - j++; - szLineConv[j] = szLine[i]; - i++; - j++; - szLineConv[j] = szLine[i]; - i++; - j++; + if (j + 3 < sizeof(szLineConv) - 1 && i + 3 < len) { + szLineConv[j] = szLine[i]; + i++; + j++; + szLineConv[j] = szLine[i]; + i++; + j++; + szLineConv[j] = szLine[i]; + i++; + j++; + } + else { + break; + } } else { i+=1; continue; } } - szLineConv[j] = szLine[i]; - j++; + if (j < sizeof(szLineConv)-1 && i= sizeof(szLineConv)) + szLineConv[sizeof(szLineConv) - 1] = 0; + else + szLineConv[j] = 0; + strcpy(szLine, szLineConv); return sOK; } -- cgit v1.2.3 From 8391e91384d5a8a2d4395be831eae169aadc91c1 Mon Sep 17 00:00:00 2001 From: Debian Multimedia Maintainers Date: Sat, 13 Apr 2019 16:52:04 -0400 Subject: CVE-2018-20760 commit 4c1360818fc8948e9307059fba4dc47ba8ad255d Author: Aurelien David Date: Thu Dec 13 14:39:21 2018 +0100 Description: CVE-2018-20760 check error code on call to gf_utf8_wcstombs (#1177) Gbp-Pq: Name CVE-2018-20760.patch --- src/media_tools/text_import.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/media_tools/text_import.c b/src/media_tools/text_import.c index 9f6fb10..f111e05 100644 --- a/src/media_tools/text_import.c +++ b/src/media_tools/text_import.c @@ -292,6 +292,8 @@ char *gf_text_get_utf8_line(char *szLine, u32 lineSize, FILE *txt_in, s32 unicod } sptr = (u16 *)szLine; i = (u32) gf_utf8_wcstombs(szLineConv, 1024, (const unsigned short **) &sptr); + if (i >= (u32)ARRAY_LENGTH(szLineConv)) + return NULL; szLineConv[i] = 0; strcpy(szLine, szLineConv); /*this is ugly indeed: since input is UTF16-LE, there are many chances the fgets never reads the \0 after a \n*/ -- cgit v1.2.3 From 3a7d0de81cacbc3a414a38069ca3a6684ffb206a Mon Sep 17 00:00:00 2001 From: Debian Multimedia Maintainers Date: Sat, 13 Apr 2019 16:52:04 -0400 Subject: CVE-2018-13005 commit bceb03fd2be95097a7b409ea59914f332fb6bc86 Author: Aurelien David Date: Thu Jun 28 13:34:08 2018 +0200 Description: CVE-2018-13005, CVE-2018-13006 fixed 2 possible heap overflows (inc. #1088) Gbp-Pq: Name CVE-2018-13005.patch --- include/gpac/internal/isomedia_dev.h | 2 +- src/isomedia/box_code_base.c | 2 +- src/isomedia/box_dump.c | 14 +++++++------- 3 files changed, 9 insertions(+), 9 deletions(-) diff --git a/include/gpac/internal/isomedia_dev.h b/include/gpac/internal/isomedia_dev.h index 11e9905..88112db 100644 --- a/include/gpac/internal/isomedia_dev.h +++ b/include/gpac/internal/isomedia_dev.h @@ -3668,7 +3668,7 @@ GF_GenericSubtitleSample *gf_isom_parse_generic_subtitle_sample_from_data(char * char __ptype[5];\ strcpy(__ptype, gf_4cc_to_str(__parent->type) );\ GF_LOG(GF_LOG_WARNING, GF_LOG_CONTAINER, ("[iso file] extra box %s found in %s, deleting\n", gf_4cc_to_str(__abox->type), __ptype)); \ - gf_isom_box_del(a);\ + gf_isom_box_del(__abox);\ return GF_OK;\ } diff --git a/src/isomedia/box_code_base.c b/src/isomedia/box_code_base.c index a21c390..873a6ee 100644 --- a/src/isomedia/box_code_base.c +++ b/src/isomedia/box_code_base.c @@ -632,7 +632,7 @@ GF_Err urn_Read(GF_Box *s, GF_BitStream *bs) //then get the break i = 0; - while ( (tmpName[i] != 0) && (i < to_read) ) { + while ( (i < to_read) && (tmpName[i] != 0) ) { i++; } //check the data is consistent diff --git a/src/isomedia/box_dump.c b/src/isomedia/box_dump.c index cbfaa73..247c352 100644 --- a/src/isomedia/box_dump.c +++ b/src/isomedia/box_dump.c @@ -484,7 +484,7 @@ GF_Err hdlr_dump(GF_Box *a, FILE * trace) { GF_HandlerBox *p = (GF_HandlerBox *)a; gf_isom_box_dump_start(a, "HandlerBox", trace); - if (p->nameUTF8 && (u32) p->nameUTF8[0] == strlen(p->nameUTF8+1)) { + if (p->nameUTF8 && (u32) p->nameUTF8[0] == strlen(p->nameUTF8)-1) { fprintf(trace, "hdlrType=\"%s\" Name=\"%s\" ", gf_4cc_to_str(p->handlerType), p->nameUTF8+1); } else { fprintf(trace, "hdlrType=\"%s\" Name=\"%s\" ", gf_4cc_to_str(p->handlerType), p->nameUTF8); @@ -4157,9 +4157,9 @@ static void oinf_entry_dump(GF_OperatingPointsInformation *ptr, FILE * trace) fprintf(trace, " maxPicWidth=\"%u\" maxPicHeight=\"%u\"", op->maxPicWidth, op->maxPicHeight); fprintf(trace, " maxChromaFormat=\"%u\" maxBitDepth=\"%u\"", op->maxChromaFormat, op->maxBitDepth); fprintf(trace, " frame_rate_info_flag=\"%u\" bit_rate_info_flag=\"%u\"", op->frame_rate_info_flag, op->bit_rate_info_flag); - if (op->frame_rate_info_flag) + if (op->frame_rate_info_flag) fprintf(trace, " avgFrameRate=\"%u\" constantFrameRate=\"%u\"", op->avgFrameRate, op->constantFrameRate); - if (op->bit_rate_info_flag) + if (op->bit_rate_info_flag) fprintf(trace, " maxBitRate=\"%u\" avgBitRate=\"%u\"", op->maxBitRate, op->avgBitRate); fprintf(trace, "/>\n"); } @@ -4261,14 +4261,14 @@ static void nalm_dump(FILE * trace, char *data, u32 data_size) fprintf(trace, "\n"); return; } - + bs = gf_bs_new(data, data_size, GF_BITSTREAM_READ); gf_bs_read_int(bs, 6); large_size = gf_bs_read_int(bs, 1); rle = gf_bs_read_int(bs, 1); entry_count = gf_bs_read_int(bs, large_size ? 16 : 8); fprintf(trace, "\n", rle, large_size); - + while (entry_count) { u32 ID; fprintf(trace, "data, ((GF_DefaultSampleGroupDescriptionEntry*)entry)->length); break; - + case GF_ISOM_SAMPLE_GROUP_NALM: nalm_dump(trace, (char *) ((GF_DefaultSampleGroupDescriptionEntry*)entry)->data, ((GF_DefaultSampleGroupDescriptionEntry*)entry)->length); break; @@ -4501,7 +4501,7 @@ GF_Err tenc_dump(GF_Box *a, FILE * trace) fprintf(trace, "\" KID=\""); } dump_data_hex(trace, (char *) ptr->KID, 16); - if (ptr->version) + if (ptr->version) fprintf(trace, "\" crypt_byte_block=\"%d\" skip_byte_block=\"%d", ptr->crypt_byte_block, ptr->skip_byte_block); fprintf(trace, "\">\n"); gf_isom_box_dump_done("TrackEncryptionBox", a, trace); -- cgit v1.2.3 From 245cb97571a66c071d2cc670d9e9545888889110 Mon Sep 17 00:00:00 2001 From: Aurelien David Date: Thu, 11 Apr 2019 14:18:58 +0200 Subject: [PATCH] fix a bunch of vsprintf -> vsnprintf closes #1203 Gbp-Pq: Name CVE-2019-11221.patch --- applications/mp4client/main.c | 2 +- src/media_tools/media_export.c | 2 +- src/media_tools/media_import.c | 2 +- src/scene_manager/loader_bt.c | 2 +- src/scene_manager/loader_isom.c | 2 +- src/scene_manager/loader_qt.c | 2 +- src/scene_manager/loader_svg.c | 2 +- src/scene_manager/loader_xmt.c | 2 +- src/scene_manager/swf_parse.c | 2 +- src/scene_manager/swf_svg.c | 2 +- src/scenegraph/xbl_process.c | 2 +- src/utils/alloc.c | 2 +- src/utils/xml_parser.c | 14 ++++++++------ 13 files changed, 20 insertions(+), 18 deletions(-) diff --git a/applications/mp4client/main.c b/applications/mp4client/main.c index 63b4651..316ebfb 100644 --- a/applications/mp4client/main.c +++ b/applications/mp4client/main.c @@ -1038,7 +1038,7 @@ static void on_gpac_log(void *cbk, GF_LOG_Level ll, GF_LOG_Tool lm, const char * if (rti_logs && (lm & GF_LOG_RTI)) { char szMsg[2048]; - vsprintf(szMsg, fmt, list); + vsnprintf(szMsg, 2048, fmt, list); UpdateRTInfo(szMsg + 6 /*"[RTI] "*/); } else { if (log_time_start) { diff --git a/src/media_tools/media_export.c b/src/media_tools/media_export.c index 23f20b3..e9a7849 100644 --- a/src/media_tools/media_export.c +++ b/src/media_tools/media_export.c @@ -57,7 +57,7 @@ static GF_Err gf_export_message(GF_MediaExporter *dumper, GF_Err e, char *format va_list args; char szMsg[1024]; va_start(args, format); - vsprintf(szMsg, format, args); + vsnprintf(szMsg, 1024, format, args); va_end(args); GF_LOG((u32) (e ? GF_LOG_ERROR : GF_LOG_WARNING), GF_LOG_AUTHOR, ("%s\n", szMsg) ); } diff --git a/src/media_tools/media_import.c b/src/media_tools/media_import.c index 332d0e4..77c62e1 100644 --- a/src/media_tools/media_import.c +++ b/src/media_tools/media_import.c @@ -52,7 +52,7 @@ GF_Err gf_import_message(GF_MediaImporter *import, GF_Err e, char *format, ...) va_list args; char szMsg[1024]; va_start(args, format); - vsprintf(szMsg, format, args); + vsnprintf(szMsg, 1024, format, args); va_end(args); GF_LOG((u32) (e ? GF_LOG_WARNING : GF_LOG_INFO), GF_LOG_AUTHOR, ("%s\n", szMsg) ); } diff --git a/src/scene_manager/loader_bt.c b/src/scene_manager/loader_bt.c index 3c71fdf..46e92a5 100644 --- a/src/scene_manager/loader_bt.c +++ b/src/scene_manager/loader_bt.c @@ -121,7 +121,7 @@ static GF_Err gf_bt_report(GF_BTParser *parser, GF_Err e, char *format, ...) char szMsg[2048]; va_list args; va_start(args, format); - vsprintf(szMsg, format, args); + vsnprintf(szMsg, 2048, format, args); va_end(args); GF_LOG((u32) (e ? GF_LOG_ERROR : GF_LOG_WARNING), GF_LOG_PARSER, ("[BT/WRL Parsing] %s (line %d)\n", szMsg, parser->line)); } diff --git a/src/scene_manager/loader_isom.c b/src/scene_manager/loader_isom.c index db01a95..8902aa0 100644 --- a/src/scene_manager/loader_isom.c +++ b/src/scene_manager/loader_isom.c @@ -144,7 +144,7 @@ static void mp4_report(GF_SceneLoader *load, GF_Err e, char *format, ...) char szMsg[1024]; va_list args; va_start(args, format); - vsprintf(szMsg, format, args); + vsnprintf(szMsg, 1024, format, args); va_end(args); GF_LOG((u32) (e ? GF_LOG_ERROR : GF_LOG_WARNING), GF_LOG_PARSER, ("[MP4 Loading] %s\n", szMsg) ); } diff --git a/src/scene_manager/loader_qt.c b/src/scene_manager/loader_qt.c index 661b450..e7382c9 100644 --- a/src/scene_manager/loader_qt.c +++ b/src/scene_manager/loader_qt.c @@ -40,7 +40,7 @@ static GF_Err gf_qt_report(GF_SceneLoader *load, GF_Err e, char *format, ...) char szMsg[1024]; va_list args; va_start(args, format); - vsprintf(szMsg, format, args); + vsnprintf(szMsg, 1024, format, args); va_end(args); GF_LOG((u32) (e ? GF_LOG_ERROR : GF_LOG_WARNING), GF_LOG_PARSER, ("[QT Parsing] %s\n", szMsg) ); } diff --git a/src/scene_manager/loader_svg.c b/src/scene_manager/loader_svg.c index 62fe8a7..d91450b 100644 --- a/src/scene_manager/loader_svg.c +++ b/src/scene_manager/loader_svg.c @@ -134,7 +134,7 @@ static GF_Err svg_report(GF_SVG_Parser *parser, GF_Err e, char *format, ...) char szMsg[2048]; va_list args; va_start(args, format); - vsprintf(szMsg, format, args); + vsnprintf(szMsg, 2048, format, args); va_end(args); GF_LOG((u32) (e ? GF_LOG_ERROR : GF_LOG_WARNING), GF_LOG_PARSER, ("[SVG Parsing] line %d - %s\n", gf_xml_sax_get_line(parser->sax_parser), szMsg)); } diff --git a/src/scene_manager/loader_xmt.c b/src/scene_manager/loader_xmt.c index f941943..f8b9f9a 100644 --- a/src/scene_manager/loader_xmt.c +++ b/src/scene_manager/loader_xmt.c @@ -144,7 +144,7 @@ static GF_Err xmt_report(GF_XMTParser *parser, GF_Err e, char *format, ...) char szMsg[2048]; va_list args; va_start(args, format); - vsprintf(szMsg, format, args); + vsnprintf(szMsg, 2048, format, args); va_end(args); GF_LOG((u32) (e ? GF_LOG_ERROR : GF_LOG_WARNING), GF_LOG_PARSER, ("[XMT Parsing] %s (line %d)\n", szMsg, gf_xml_sax_get_line(parser->sax_parser)) ); } diff --git a/src/scene_manager/swf_parse.c b/src/scene_manager/swf_parse.c index 1545cd6..a1d5d87 100644 --- a/src/scene_manager/swf_parse.c +++ b/src/scene_manager/swf_parse.c @@ -2428,7 +2428,7 @@ void swf_report(SWFReader *read, GF_Err e, char *format, ...) char szMsg[2048]; va_list args; va_start(args, format); - vsprintf(szMsg, format, args); + vsnprintf(szMsg, 2048, format, args); va_end(args); GF_LOG((u32) (e ? GF_LOG_ERROR : GF_LOG_WARNING), GF_LOG_PARSER, ("[SWF Parsing] %s (frame %d)\n", szMsg, read->current_frame+1) ); } diff --git a/src/scene_manager/swf_svg.c b/src/scene_manager/swf_svg.c index edc563e..28397ca 100644 --- a/src/scene_manager/swf_svg.c +++ b/src/scene_manager/swf_svg.c @@ -51,7 +51,7 @@ static void swf_svg_print(SWFReader *read, const char *format, ...) { /* print the line */ va_start(args, format); - vsprintf(line, format, args); + vsnprintf(line, 2000, format, args); va_end(args); /* add the line to the buffer */ line_length = (u32)strlen(line); diff --git a/src/scenegraph/xbl_process.c b/src/scenegraph/xbl_process.c index 21ef3a0..216f7d3 100644 --- a/src/scenegraph/xbl_process.c +++ b/src/scenegraph/xbl_process.c @@ -61,7 +61,7 @@ static GF_Err xbl_parse_report(GF_XBL_Parser *parser, GF_Err e, char *format, .. char szMsg[2048]; va_list args; va_start(args, format); - vsprintf(szMsg, format, args); + vsnprintf(szMsg, 2048, format, args); va_end(args); GF_LOG((u32) (e ? GF_LOG_ERROR : GF_LOG_WARNING), GF_LOG_PARSER, ("[XBL Parsing] line %d - %s\n", gf_xml_sax_get_line(parser->sax_parser), szMsg)); } diff --git a/src/utils/alloc.c b/src/utils/alloc.c index 1701166..0c8c960 100644 --- a/src/utils/alloc.c +++ b/src/utils/alloc.c @@ -815,7 +815,7 @@ static void gf_memory_log(unsigned int level, const char *fmt, ...) char msg[1024]; assert(strlen(fmt) < 200); va_start(vl, fmt); - vsprintf(msg, fmt, vl); + vsnprintf(msg, 1024, fmt, vl); GF_LOG(level, GF_LOG_MEMORY, (msg)); va_end(vl); } diff --git a/src/utils/xml_parser.c b/src/utils/xml_parser.c index 915a51a..b153a47 100644 --- a/src/utils/xml_parser.c +++ b/src/utils/xml_parser.c @@ -220,14 +220,16 @@ static void format_sax_error(GF_SAXParser *parser, u32 linepos, const char* fmt, char szM[20]; va_start(args, fmt); - vsprintf(parser->err_msg, fmt, args); + vsnprintf(parser->err_msg, ARRAY_LENGTH(parser->err_msg), fmt, args); va_end(args); - sprintf(szM, " - Line %d: ", parser->line + 1); - strcat(parser->err_msg, szM); - len = (u32) strlen(parser->err_msg); - strncpy(parser->err_msg + len, parser->buffer+ (linepos ? linepos : parser->current_pos), 10); - parser->err_msg[len + 10] = 0; + if (strlen(parser->err_msg)+30 < ARRAY_LENGTH(parser->err_msg)) { + snprintf(szM, 20, " - Line %d: ", parser->line + 1); + strcat(parser->err_msg, szM); + len = (u32) strlen(parser->err_msg); + strncpy(parser->err_msg + len, parser->buffer+ (linepos ? linepos : parser->current_pos), 10); + parser->err_msg[len + 10] = 0; + } parser->sax_state = SAX_STATE_SYNTAX_ERROR; } -- cgit v1.2.3 From f2402d6e9d54ed27e71913ebeed820c344e735c2 Mon Sep 17 00:00:00 2001 From: Aurelien David Date: Thu, 11 Apr 2019 14:54:53 +0200 Subject: [PATCH] fix buffer overrun in gf_bin128_parse closes #1204 closes #1205 Gbp-Pq: Name CVE-2019-11222.patch --- src/utils/os_divers.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/src/utils/os_divers.c b/src/utils/os_divers.c index d44f095..1411fe9 100644 --- a/src/utils/os_divers.c +++ b/src/utils/os_divers.c @@ -1969,6 +1969,11 @@ GF_Err gf_bin128_parse(char *string, bin128 value) sscanf(szV, "%x", &v); value[i] = v; i++; + if (i > 15) { + // force error check below + i++; + break; + } } } if (i != 16) { -- cgit v1.2.3