talos-2021-1297

author Debian Multimedia Maintainers <debian-multimedia@lists.debian.org>

Thu, 19 Aug 2021 22:03:29 +0000 (23:03 +0100)

committer Moritz Mühlenhoff <jmm@debian.org>

Thu, 19 Aug 2021 22:03:29 +0000 (23:03 +0100)
author Debian Multimedia Maintainers <debian-multimedia@lists.debian.org>
Thu, 19 Aug 2021 22:03:29 +0000 (23:03 +0100)
committer Moritz Mühlenhoff <jmm@debian.org>
Thu, 19 Aug 2021 22:03:29 +0000 (23:03 +0100)
diff --git a/src/isomedia/box_code_base.c b/src/isomedia/box_code_base.c

index 809106bb90c0d68f4d923ce3b45cd44c9e3d8cbd..ff8858ab03f8a82ecb4eba371975b4a1b28376fc 100644 (file)
--- a/src/isomedia/box_code_base.c
+++ b/src/isomedia/box_code_base.c
@@ -46,7 +46,7 @@ GF_Err co64_box_read(GF_Box *s,GF_BitStream *bs)
  
         ISOM_DECREASE_SIZE(ptr, 4)
  
-       if (ptr->nb_entries > ptr->size / 8) {
+       if ((u64)ptr->nb_entries > ptr->size / 8 || (u64)ptr->nb_entries > (u64)SIZE_MAX/sizeof(u64)) {
                 GF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, ("[iso file] Invalid number of entries %d in co64\n", ptr->nb_entries));
                 return GF_ISOM_INVALID_FILE;
         }
@@ -392,7 +392,7 @@ GF_Err ctts_box_read(GF_Box *s, GF_BitStream *bs)
         ISOM_DECREASE_SIZE(ptr, 4);
         ptr->nb_entries = gf_bs_read_u32(bs);
  
-       if (ptr->nb_entries > ptr->size / 8) {
+       if (ptr->nb_entries > ptr->size / 8 || (u64)ptr->nb_entries > (u64)SIZE_MAX/sizeof(GF_DttsEntry) ) {
                 GF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, ("[iso file] Invalid number of entries %d in ctts\n", ptr->nb_entries));
                 return GF_ISOM_INVALID_FILE;
         }
@@ -3194,6 +3194,10 @@ GF_Err tfra_box_read(GF_Box *s, GF_BitStream *bs)
         }
  
         if (ptr->nb_entries) {
+               if ((u64)ptr->nb_entries > (u64)SIZE_MAX/sizeof(GF_RandomAccessEntry)) {
+                       GF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, ("[iso file] Invalid number of entries %d in traf\n", ptr->nb_entries));
+                       return GF_ISOM_INVALID_FILE;
+               }
                 p = (GF_RandomAccessEntry *) gf_malloc(sizeof(GF_RandomAccessEntry) * ptr->nb_entries);
                 if (!p) return GF_OUT_OF_MEM;
         }
@@ -5104,7 +5108,7 @@ GF_Err stco_box_read(GF_Box *s, GF_BitStream *bs)
  
         ISOM_DECREASE_SIZE(ptr, 4);
         ptr->nb_entries = gf_bs_read_u32(bs);
-       if (ptr->nb_entries > ptr->size / 4) {
+       if (ptr->nb_entries > ptr->size / 4 || (u64)ptr->nb_entries > (u64)SIZE_MAX/sizeof(u32)) {
                 GF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, ("[iso file] Invalid number of entries %d in stco\n", ptr->nb_entries));
                 return GF_ISOM_INVALID_FILE;
         }
@@ -5236,7 +5240,7 @@ GF_Err stsc_box_read(GF_Box *s, GF_BitStream *bs)
         ISOM_DECREASE_SIZE(ptr, 4);
         ptr->nb_entries = gf_bs_read_u32(bs);
  
-       if (ptr->nb_entries > ptr->size / 12) {
+       if (ptr->nb_entries > ptr->size / 12 || (u64)ptr->nb_entries > (u64)SIZE_MAX/sizeof(GF_StscEntry)) {
                 GF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, ("[iso file] Invalid number of entries %d in stsc\n", ptr->nb_entries));
                 return GF_ISOM_INVALID_FILE;
         }
@@ -5575,6 +5579,10 @@ GF_Err stsz_box_read(GF_Box *s, GF_BitStream *bs)
                         }
                 }
         }
+       if (ptr->sampleCount && (u64)ptr->sampleCount > (u64)SIZE_MAX/sizeof(u32)) {
+               GF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, ("[iso file] Invalid number of entries %d in stsz\n", ptr->sampleCount));
+               return GF_ISOM_INVALID_FILE;
+       }
         if (s->type == GF_ISOM_BOX_TYPE_STSZ) {
                 if (! ptr->sampleSize && ptr->sampleCount) {
                         if (ptr->sampleCount > ptr->size / 4) {
@@ -5779,7 +5787,7 @@ GF_Err stts_box_read(GF_Box *s, GF_BitStream *bs)
  
         ISOM_DECREASE_SIZE(ptr, 4);
         ptr->nb_entries = gf_bs_read_u32(bs);
-       if (ptr->size < ptr->nb_entries * 8) {
+       if (ptr->size / 8 < ptr->nb_entries || (u64)ptr->nb_entries > (u64)SIZE_MAX/sizeof(GF_SttsEntry)) {
                 GF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, ("[iso file] Invalid number of entries %d in stts\n", ptr->nb_entries));
                 return GF_ISOM_INVALID_FILE;
         }
@@ -7276,6 +7284,10 @@ GF_Err trun_box_read(GF_Box *s, GF_BitStream *bs)
                 if (ptr->sample_count * 4 > ptr->size) {
                         ISOM_DECREASE_SIZE(ptr, ptr->sample_count*4);
                 }
+               if ((u64)ptr->sample_count > (u64)SIZE_MAX/sizeof(GF_TrunEntry)) {
+                       GF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, ("[iso file] Invalid number of samples %d in trun\n", ptr->sample_count));
+                       return GF_ISOM_INVALID_FILE;
+               }
                 ptr->samples = gf_malloc(sizeof(GF_TrunEntry) * ptr->sample_count);
                 if (!ptr->samples) return GF_OUT_OF_MEM;
                 ptr->sample_alloc = ptr->nb_samples = ptr->sample_count;
@@ -8786,7 +8798,7 @@ GF_Err ssix_box_read(GF_Box *s, GF_BitStream *bs)
         ISOM_DECREASE_SIZE(ptr, 4)
         ptr->subsegment_count = gf_bs_read_u32(bs);
         //each subseg has at least one range_count (4 bytes), abort if not enough bytes (broken box)
-       if (ptr->size < ptr->subsegment_count*4)
+       if (ptr->size / 4 < ptr->subsegment_count || (u64)ptr->subsegment_count > (u64)SIZE_MAX/sizeof(GF_SubsegmentInfo))
                 return GF_ISOM_INVALID_FILE;
  
         GF_SAFE_ALLOC_N(ptr->subsegments, ptr->subsegment_count, GF_SubsegmentInfo);
@@ -8797,7 +8809,7 @@ GF_Err ssix_box_read(GF_Box *s, GF_BitStream *bs)
                 ISOM_DECREASE_SIZE(ptr, 4)
                 subseg->range_count = gf_bs_read_u32(bs);
                 //each range is 4 bytes, abort if not enough bytes
-               if (ptr->size < subseg->range_count*4)
+               if (ptr->size / 4 < subseg->range_count || (u64)subseg->range_count > (u64)SIZE_MAX/sizeof(GF_SubsegmentRangeInfo))
                         return GF_ISOM_INVALID_FILE;
                 subseg->ranges = (GF_SubsegmentRangeInfo*) gf_malloc(sizeof(GF_SubsegmentRangeInfo) * subseg->range_count);
                 if (!subseg->ranges) return GF_OUT_OF_MEM;
@@ -8979,6 +8991,11 @@ GF_Err pcrb_box_read(GF_Box *s,GF_BitStream *bs)
         ISOM_DECREASE_SIZE(ptr, 4);
         ptr->subsegment_count = gf_bs_read_u32(bs);
  
+       if ((u64)ptr->subsegment_count > ptr->size / 8 || (u64)ptr->subsegment_count > (u64)SIZE_MAX/sizeof(u64)) {
+               GF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, ("[iso file] Invalid number of subsegment %d in pcrb\n", ptr->subsegment_count));
+               return GF_ISOM_INVALID_FILE;
+       }
+
         ptr->pcr_values = gf_malloc(sizeof(u64)*ptr->subsegment_count);
         if (!ptr->pcr_values) return GF_OUT_OF_MEM;
         for (i=0; i<ptr->subsegment_count; i++) {
@@ -9303,7 +9320,7 @@ GF_Err sbgp_box_read(GF_Box *s, GF_BitStream *bs)
         }
         ptr->entry_count = gf_bs_read_u32(bs);
  
-       if (ptr->size < sizeof(GF_SampleGroupEntry)*ptr->entry_count)
+       if (ptr->size < sizeof(GF_SampleGroupEntry)*ptr->entry_count || (u64)ptr->entry_count > (u64)SIZE_MAX/sizeof(GF_SampleGroupEntry))
             return GF_ISOM_INVALID_FILE;
  
         ptr->sample_entries = gf_malloc(sizeof(GF_SampleGroupEntry)*ptr->entry_count);
@@ -9860,7 +9877,7 @@ GF_Err saio_box_read(GF_Box *s, GF_BitStream *bs)
  
         if (ptr->entry_count) {
                 u32 i;
-               if (ptr->size < (ptr->version == 0 ? 4 : 8) * ptr->entry_count)
+               if (ptr->size / (ptr->version == 0 ? 4 : 8) < ptr->entry_count || (u64)ptr->entry_count > (u64)SIZE_MAX/sizeof(u64))
                         return GF_ISOM_INVALID_FILE;
                 ptr->offsets = gf_malloc(sizeof(u64)*ptr->entry_count);
                 if (!ptr->offsets)
@@ -10368,7 +10385,7 @@ GF_Err fpar_box_read(GF_Box *s, GF_BitStream *bs)
  
         ISOM_DECREASE_SIZE(ptr, (ptr->version ? 4 : 2) );
         ptr->nb_entries = gf_bs_read_int(bs, ptr->version ? 32 : 16);
-       if (ptr->nb_entries > UINT_MAX / 6)
+       if (ptr->nb_entries > ptr->size / 6 || (u64)ptr->nb_entries > (u64)SIZE_MAX/sizeof(FilePartitionEntry))
                 return GF_ISOM_INVALID_FILE;
  
         ISOM_DECREASE_SIZE(ptr, ptr->nb_entries * 6 );
@@ -10454,6 +10471,11 @@ GF_Err fecr_box_read(GF_Box *s, GF_BitStream *bs)
         ISOM_DECREASE_SIZE(ptr, (ptr->version ? 4 : 2) );
         ptr->nb_entries = gf_bs_read_int(bs, ptr->version ? 32 : 16);
  
+       if (ptr->nb_entries > ptr->size / (ptr->version ? 8 : 6) || (u64)ptr->nb_entries > (u64)SIZE_MAX/sizeof(FECReservoirEntry) ) {
+               GF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, ("[iso file] Invalid number of entries %d in fecr\n", ptr->nb_entries));
+               return GF_ISOM_INVALID_FILE;
+       }
+
         ISOM_DECREASE_SIZE(ptr, ptr->nb_entries * (ptr->version ? 8 : 6) );
         GF_SAFE_ALLOC_N(ptr->entries, ptr->nb_entries, FECReservoirEntry);
         if (!ptr->entries) return GF_OUT_OF_MEM;
author	Debian Multimedia Maintainers <debian-multimedia@lists.debian.org>
	Thu, 19 Aug 2021 22:03:29 +0000 (23:03 +0100)
committer	Moritz Mühlenhoff <jmm@debian.org>
	Thu, 19 Aug 2021 22:03:29 +0000 (23:03 +0100)