projects / gpac.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 55b7a17)
Add bugfix for CVE-2018-7752
authorReinhard Tartler <siretart@tauware.de>
Thu, 14 Feb 2019 12:26:56 +0000 (07:26 -0500)
committerReinhard Tartler <siretart@tauware.de>
Thu, 14 Feb 2019 12:26:56 +0000 (07:26 -0500)
debian/patches/CVE-2018-7752.patch [new file with mode: 0644] patch | blob
debian/patches/series patch | blob | history

diff --git a/debian/patches/CVE-2018-7752.patch b/debian/patches/CVE-2018-7752.patch
new file mode 100644 (file)
index 0000000..846dadb
--- /dev/null
+++ b/debian/patches/CVE-2018-7752.patch
@@ -0,0 +1,47 @@
+Author: Aurelien David <aurelien.david@telecom-paristech.fr>
+Date:   Tue Mar 6 11:23:31 2018 +0100
+Description: CVE-2018-7752
+Upstream: commit 90dc7f853d31b0a4e9441cba97feccf36d8b69a4
+
+fix some exploitable overflows (#994, #997)
+
+diff --git a/include/gpac/tools.h b/include/gpac/tools.h
+index dbc3cebf3..15483d7d6 100644
+--- a/include/gpac/tools.h
++++ b/include/gpac/tools.h
+@@ -1067,6 +1067,7 @@ void gf_fm_request_call(u32 type, u32 param, int *value);
+ /* \endcond */
++#define ARRAY_LENGTH(a) (sizeof(a) / sizeof((a)[0]))
+ #ifdef __cplusplus
+ }
+diff --git a/src/isomedia/avc_ext.c b/src/isomedia/avc_ext.c
+index c1096f872..c59f2ce97 100644
+--- a/src/isomedia/avc_ext.c
++++ b/src/isomedia/avc_ext.c
+@@ -2413,6 +2413,8 @@ GF_Err gf_isom_oinf_read_entry(void *entry, GF_BitStream *bs)
+               op->output_layer_set_idx = gf_bs_read_u16(bs);
+               op->max_temporal_id = gf_bs_read_u8(bs);
+               op->layer_count = gf_bs_read_u8(bs);
++              if (op->layer_count > ARRAY_LENGTH(op->layers_info))
++                      return GF_NON_COMPLIANT_BITSTREAM;
+               for (j = 0; j < op->layer_count; j++) {
+                       op->layers_info[j].ptl_idx = gf_bs_read_u8(bs);
+                       op->layers_info[j].layer_id = gf_bs_read_int(bs, 6);
+diff --git a/src/media_tools/av_parsers.c b/src/media_tools/av_parsers.c
+index b9b5acdbb..27a6807d9 100644
+--- a/src/media_tools/av_parsers.c
++++ b/src/media_tools/av_parsers.c
+@@ -2385,6 +2385,10 @@ s32 gf_media_avc_read_sps(const char *sps_data, u32 sps_size, AVCState *avc, u32
+               sps->offset_for_non_ref_pic = bs_get_se(bs);
+               sps->offset_for_top_to_bottom_field = bs_get_se(bs);
+               sps->poc_cycle_length = bs_get_ue(bs);
++              if (sps->poc_cycle_length > ARRAY_LENGTH(sps->offset_for_ref_frame)) {
++                      GF_LOG(GF_LOG_ERROR, GF_LOG_CODING, ("[avc-h264] offset_for_ref_frame overflow from poc_cycle_length\n"));
++                      goto exit;
++              }
+               for(i=0; i<sps->poc_cycle_length; i++) sps->offset_for_ref_frame[i] = bs_get_se(bs);
+       }
+       if (sps->poc_type > 2) {
diff --git a/debian/patches/series b/debian/patches/series
index 4781a2c4fbff43cd52e246156b688072f8c91a3a..1fd08cf974180a2470efd86af8a1dd3c340d2b34 100644 (file)
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -6,3 +6,4 @@ dont-err-build-on-uknown-system.patch
 #ffmpeg_2.9.patch
 ffmpeg_4.patch
 fix_makefile_install.patch
+CVE-2018-7752.patch
Unnamed repository; edit this file 'description' to name the repository.