CVE-2021-40559

Origin: https://github.com/gpac/gpac/commit/70607fc71a671cf48a05e013a4e411429373dce7
Reviewed-by: Aron Xu <aron@debian.org>
From 70607fc71a671cf48a05e013a4e411429373dce7 Mon Sep 17 00:00:00 2001
From: Aurelien David <aurelien.david@telecom-paristech.fr>
Date: Tue, 24 Aug 2021 18:16:50 +0200
Subject: [PATCH] add some null guards to prevent segfaults

closes #1884, #1886

Gbp-Pq: Name CVE-2021-40559.patch

diff --git a/src/filters/reframe_nalu.c b/src/filters/reframe_nalu.c
index d3f2ee021292b32da64e5cfe9d9a9769aa0754e3..74abd2b5681a5f7c5c0cf233e886be45a6df8a04 100644 (file)
--- a/src/filters/reframe_nalu.c
+++ b/src/filters/reframe_nalu.c
@@ -314,7 +314,7 @@ GF_Err naludmx_configure_pid(GF_Filter *filter, GF_FilterPid *pid, Bool is_remov
                ctx->ps_modified = GF_TRUE;
                ctx->crc_cfg = ctx->crc_cfg_enh = 0;
        }
-       
+
        return GF_OK;
 }
 
@@ -694,7 +694,7 @@ GF_Err naludmx_set_hevc_oinf(GF_NALUDmxCtx *ctx, u8 *max_temporal_id)
        if (!vps_sl) return GF_SERVICE_ERROR;
 
        vps = &ctx->hevc_state->vps[vps_sl->id];
-       
+
        if (!vps->vps_extension_found) return GF_OK;
        if (vps->max_layers<2) return GF_OK;
 
@@ -836,7 +836,7 @@ static void naludmx_set_hevc_linf(GF_NALUDmxCtx *ctx)
                return;
 
        bs = gf_bs_new(NULL, 0, GF_BITSTREAM_WRITE);
-       
+
        gf_bs_write_int(bs, 0, 2);
        gf_bs_write_int(bs, nb_layers, 6);
        for (i=0; i<nb_layers; i++) {
@@ -1881,7 +1881,7 @@ static s32 naludmx_parse_nal_avc(GF_NALUDmxCtx *ctx, char *data, u32 size, u32 n
                *skip_nal = GF_TRUE;
        }
        ctx->nb_nalus++;
-       
+
        switch (nal_type) {
        case GF_AVC_NALU_SVC_SUBSEQ_PARAM:
        case GF_AVC_NALU_SEQ_PARAM:
@@ -1999,7 +1999,7 @@ static s32 naludmx_parse_nal_avc(GF_NALUDmxCtx *ctx, char *data, u32 size, u32 n
                        u32 i;
                        for (i = 0; i < gf_list_count(ctx->pps); i ++) {
                                GF_AVCConfigSlot *slc = (GF_AVCConfigSlot*)gf_list_get(ctx->pps, i);
-                               if (ctx->avc_state->s_info.pps->id == slc->id) {
+                               if (ctx->avc_state->s_info.pps && ctx->avc_state->s_info.pps->id == slc->id) {
                                        /* This PPS is used by an SVC NAL unit, it should be moved to the SVC Config Record) */
                                        gf_list_rem(ctx->pps, i);
                                        i--;
@@ -2367,7 +2367,7 @@ naldmx_flush:
                if (!ctx->opid && current) {
                        assert(remain>=current);
             assert((s32) current >= 0);
-            
+
                        start += current;
                        remain -= current;
                        current = 0;

diff --git a/src/isomedia/isom_intern.c b/src/isomedia/isom_intern.c
index 83549362f02f37dee48718621ba1a63f42636fa5..ce2a4f44de9ba40e7d714a6318c5a762ce0dad29 100644 (file)
--- a/src/isomedia/isom_intern.c
+++ b/src/isomedia/isom_intern.c
@@ -499,10 +499,12 @@ GF_Err gf_isom_parse_movie_boxes(GF_ISOFile *mov, u32 *boxType, u64 *bytesMissin
                                                //we should only parse senc/psec when no saiz/saio is present, otherwise we fetch the info directly
                                                if (traf->trex && traf->tfhd && traf->trex->track && traf->sample_encryption) {
                                                        GF_TrackBox *trak = GetTrackbyID(mov->moov, traf->tfhd->trackID);
-                                                       trak->current_traf_stsd_idx = traf->tfhd->sample_desc_index ? traf->tfhd->sample_desc_index : traf->trex->def_sample_desc_index;
-                                                       e = senc_Parse(mov->movieFileMap->bs, trak, traf, traf->sample_encryption);
-                                                       if (e) return e;
-                                                       trak->current_traf_stsd_idx = 0;
+                                                       if (trak) {
+                                                               trak->current_traf_stsd_idx = traf->tfhd->sample_desc_index ? traf->tfhd->sample_desc_index : traf->trex->def_sample_desc_index;
+                                                               e = senc_Parse(mov->movieFileMap->bs, trak, traf, traf->sample_encryption);
+                                                               if (e) return e;
+                                                               trak->current_traf_stsd_idx = 0;
+                                                       }
                                                }
                                        }
                                } else {