CVE-2022-38530

commit 4e56ad72ac1afb4e049a10f2d99e7512d7141f9d
Author: jeanlf <jeanlf@gpac.io>
Date:   Tue Jul 12 18:29:36 2022 +0200

    fixed #2216

Gbp-Pq: Name CVE-2022-38530.patch

diff --git a/applications/mp4box/main.c b/applications/mp4box/main.c
index 1b3fb4fcbd0722d9163394bda1918233544857ad..fd0036d85e1efdf76f3d0c620da4c9b198a450b9 100644 (file)
--- a/applications/mp4box/main.c
+++ b/applications/mp4box/main.c
@@ -3602,7 +3602,7 @@ GF_Err HintFile(GF_ISOFile *file, u32 MTUSize, u32 max_ptime, u32 rtp_rate, u32
 
                if (e) {
                        M4_LOG(GF_LOG_ERROR, ("Error while hinting (%s)\n", gf_error_to_string(e)));
-                       if (!nb_done) return e;
+                       return e;
                }
                init_payt++;
                nb_done ++;

diff --git a/src/odf/desc_private.c b/src/odf/desc_private.c
index a22c7cca8caf07a1e5f858b89dde7fec38fc2cd0..33313f12fb1e0826f57772e38c67e1976340cbbb 100644 (file)
--- a/src/odf/desc_private.c
+++ b/src/odf/desc_private.c
@@ -273,7 +273,7 @@ GF_Err gf_odf_delete_descriptor(GF_Descriptor *desc)
 //
 //             READERS
 //
-GF_Err gf_odf_read_descriptor(GF_BitStream *bs, GF_Descriptor *desc, u32 DescSize)
+static GF_Err gf_odf_read_descriptor_internal(GF_BitStream *bs, GF_Descriptor *desc, u32 DescSize)
 {
        switch (desc->tag) {
        case GF_ODF_IOD_TAG :
@@ -368,7 +368,17 @@ GF_Err gf_odf_read_descriptor(GF_BitStream *bs, GF_Descriptor *desc, u32 DescSiz
        return GF_OK;
 }
 
-
+GF_Err gf_odf_read_descriptor(GF_BitStream *bs, GF_Descriptor *desc, u32 DescSize)
+{
+       u64 cookie = gf_bs_get_cookie(bs);
+       //we allow 100 max desc in a hierarchy - see issue 2216
+       if (cookie>100)
+               return GF_NON_COMPLIANT_BITSTREAM;
+       gf_bs_set_cookie(bs, cookie+1);
+       GF_Err e = gf_odf_read_descriptor_internal(bs, desc, DescSize);
+       gf_bs_set_cookie(bs, cookie);
+       return e;
+}