From 3da4490b7456ba681c4f32a230674160057a69d9 Mon Sep 17 00:00:00 2001 From: Debian Multimedia Maintainers Date: Fri, 15 Feb 2019 06:43:22 -0500 Subject: CVE-2018-13005 commit bceb03fd2be95097a7b409ea59914f332fb6bc86 Author: Aurelien David Date: Thu Jun 28 13:34:08 2018 +0200 Description: CVE-2018-13005, CVE-2018-13006 fixed 2 possible heap overflows (inc. #1088) Gbp-Pq: Name CVE-2018-13005.patch --- include/gpac/internal/isomedia_dev.h | 2 +- src/isomedia/box_code_base.c | 2 +- src/isomedia/box_dump.c | 14 +++++++------- 3 files changed, 9 insertions(+), 9 deletions(-) diff --git a/include/gpac/internal/isomedia_dev.h b/include/gpac/internal/isomedia_dev.h index 11e9905..88112db 100644 --- a/include/gpac/internal/isomedia_dev.h +++ b/include/gpac/internal/isomedia_dev.h @@ -3668,7 +3668,7 @@ GF_GenericSubtitleSample *gf_isom_parse_generic_subtitle_sample_from_data(char * char __ptype[5];\ strcpy(__ptype, gf_4cc_to_str(__parent->type) );\ GF_LOG(GF_LOG_WARNING, GF_LOG_CONTAINER, ("[iso file] extra box %s found in %s, deleting\n", gf_4cc_to_str(__abox->type), __ptype)); \ - gf_isom_box_del(a);\ + gf_isom_box_del(__abox);\ return GF_OK;\ } diff --git a/src/isomedia/box_code_base.c b/src/isomedia/box_code_base.c index a21c390..873a6ee 100644 --- a/src/isomedia/box_code_base.c +++ b/src/isomedia/box_code_base.c @@ -632,7 +632,7 @@ GF_Err urn_Read(GF_Box *s, GF_BitStream *bs) //then get the break i = 0; - while ( (tmpName[i] != 0) && (i < to_read) ) { + while ( (i < to_read) && (tmpName[i] != 0) ) { i++; } //check the data is consistent diff --git a/src/isomedia/box_dump.c b/src/isomedia/box_dump.c index cbfaa73..247c352 100644 --- a/src/isomedia/box_dump.c +++ b/src/isomedia/box_dump.c @@ -484,7 +484,7 @@ GF_Err hdlr_dump(GF_Box *a, FILE * trace) { GF_HandlerBox *p = (GF_HandlerBox *)a; gf_isom_box_dump_start(a, "HandlerBox", trace); - if (p->nameUTF8 && (u32) p->nameUTF8[0] == strlen(p->nameUTF8+1)) { + if (p->nameUTF8 && (u32) p->nameUTF8[0] == strlen(p->nameUTF8)-1) { fprintf(trace, "hdlrType=\"%s\" Name=\"%s\" ", gf_4cc_to_str(p->handlerType), p->nameUTF8+1); } else { fprintf(trace, "hdlrType=\"%s\" Name=\"%s\" ", gf_4cc_to_str(p->handlerType), p->nameUTF8); @@ -4157,9 +4157,9 @@ static void oinf_entry_dump(GF_OperatingPointsInformation *ptr, FILE * trace) fprintf(trace, " maxPicWidth=\"%u\" maxPicHeight=\"%u\"", op->maxPicWidth, op->maxPicHeight); fprintf(trace, " maxChromaFormat=\"%u\" maxBitDepth=\"%u\"", op->maxChromaFormat, op->maxBitDepth); fprintf(trace, " frame_rate_info_flag=\"%u\" bit_rate_info_flag=\"%u\"", op->frame_rate_info_flag, op->bit_rate_info_flag); - if (op->frame_rate_info_flag) + if (op->frame_rate_info_flag) fprintf(trace, " avgFrameRate=\"%u\" constantFrameRate=\"%u\"", op->avgFrameRate, op->constantFrameRate); - if (op->bit_rate_info_flag) + if (op->bit_rate_info_flag) fprintf(trace, " maxBitRate=\"%u\" avgBitRate=\"%u\"", op->maxBitRate, op->avgBitRate); fprintf(trace, "/>\n"); } @@ -4261,14 +4261,14 @@ static void nalm_dump(FILE * trace, char *data, u32 data_size) fprintf(trace, "\n"); return; } - + bs = gf_bs_new(data, data_size, GF_BITSTREAM_READ); gf_bs_read_int(bs, 6); large_size = gf_bs_read_int(bs, 1); rle = gf_bs_read_int(bs, 1); entry_count = gf_bs_read_int(bs, large_size ? 16 : 8); fprintf(trace, "\n", rle, large_size); - + while (entry_count) { u32 ID; fprintf(trace, "data, ((GF_DefaultSampleGroupDescriptionEntry*)entry)->length); break; - + case GF_ISOM_SAMPLE_GROUP_NALM: nalm_dump(trace, (char *) ((GF_DefaultSampleGroupDescriptionEntry*)entry)->data, ((GF_DefaultSampleGroupDescriptionEntry*)entry)->length); break; @@ -4501,7 +4501,7 @@ GF_Err tenc_dump(GF_Box *a, FILE * trace) fprintf(trace, "\" KID=\""); } dump_data_hex(trace, (char *) ptr->KID, 16); - if (ptr->version) + if (ptr->version) fprintf(trace, "\" crypt_byte_block=\"%d\" skip_byte_block=\"%d", ptr->crypt_byte_block, ptr->skip_byte_block); fprintf(trace, "\">\n"); gf_isom_box_dump_done("TrackEncryptionBox", a, trace); -- cgit v1.2.3