--- /dev/null
+commit 35ab4475a7df9b2a4bcab235e379c0c3ec543658
+Author: Aurelien David <aurelien.david@telecom-paristech.fr>
+Date: Fri Jan 11 11:32:54 2019 +0100
+Description: CVE-2018-20762
+
+ fix some overflows due to strcpy
+
+ fixes #1184, #1186, #1187 among other things
+
+--- a/applications/mp4box/fileimport.c
++++ b/applications/mp4box/fileimport.c
+@@ -2247,17 +2247,33 @@ GF_Err cat_multiple_files(GF_ISOFile *de
+ cat_enum.align_timelines = align_timelines;
+ cat_enum.allow_add_in_command = allow_add_in_command;
+
++ if (strlen(fileName) >= sizeof(cat_enum.szPath)) {
++ GF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, ("File name %s is too long.\n", fileName));
++ return GF_NOT_SUPPORTED;
++ }
+ strcpy(cat_enum.szPath, fileName);
+ sep = strrchr(cat_enum.szPath, GF_PATH_SEPARATOR);
+ if (!sep) sep = strrchr(cat_enum.szPath, '/');
+ if (!sep) {
+ strcpy(cat_enum.szPath, ".");
++ if (strlen(fileName) >= sizeof(cat_enum.szRad1)) {
++ GF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, ("File name %s is too long.\n", fileName));
++ return GF_NOT_SUPPORTED;
++ }
+ strcpy(cat_enum.szRad1, fileName);
+ } else {
++ if (strlen(sep + 1) >= sizeof(cat_enum.szRad1)) {
++ GF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, ("File name %s is too long.\n", (sep + 1)));
++ return GF_NOT_SUPPORTED;
++ }
+ strcpy(cat_enum.szRad1, sep+1);
+ sep[0] = 0;
+ }
+ sep = strchr(cat_enum.szRad1, '*');
++ if (strlen(sep + 1) >= sizeof(cat_enum.szRad2)) {
++ GF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, ("File name %s is too long.\n", (sep + 1)));
++ return GF_NOT_SUPPORTED;
++ }
+ strcpy(cat_enum.szRad2, sep+1);
+ sep[0] = 0;
+ sep = strchr(cat_enum.szRad2, '%');
+@@ -2265,6 +2281,10 @@ GF_Err cat_multiple_files(GF_ISOFile *de
+ if (!sep) sep = strchr(cat_enum.szRad2, ':');
+ strcpy(cat_enum.szOpt, "");
+ if (sep) {
++ if (strlen(sep) >= sizeof(cat_enum.szOpt)) {
++ GF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, ("Invalid option: %s.\n", sep));
++ return GF_NOT_SUPPORTED;
++ }
+ strcpy(cat_enum.szOpt, sep);
+ sep[0] = 0;
+ }
+--- a/applications/mp4client/main.c
++++ b/applications/mp4client/main.c
+@@ -900,7 +900,8 @@ Bool GPAC_EventProc(void *ptr, GF_Event
+ break;
+ case GF_EVENT_NAVIGATE:
+ if (gf_term_is_supported_url(term, evt->navigate.to_url, 1, no_mime_check)) {
+- strcpy(the_url, evt->navigate.to_url);
++ strncpy(the_url, evt->navigate.to_url, sizeof(the_url)-1);
++ the_url[sizeof(the_url) - 1] = 0;
+ fprintf(stderr, "Navigating to URL %s\n", the_url);
+ gf_term_navigate_to(term, evt->navigate.to_url);
+ return 1;
+@@ -1089,6 +1090,11 @@ void set_cfg_option(char *opt_string)
+ }
+ {
+ const size_t sepIdx = sep - opt_string;
++ if (sepIdx >= sizeof(szSec)) {
++ fprintf(stderr, "Badly formatted option %s - Section name is too long\n", opt_string);
++ return;
++ }
++
+ strncpy(szSec, opt_string, sepIdx);
+ szSec[sepIdx] = 0;
+ }
+@@ -1100,8 +1106,16 @@ void set_cfg_option(char *opt_string)
+ }
+ {
+ const size_t sepIdx = sep2 - sep;
++ if (sepIdx >= sizeof(szKey)) {
++ fprintf(stderr, "Badly formatted option %s - key name is too long\n", opt_string);
++ return;
++ }
+ strncpy(szKey, sep, sepIdx);
+ szKey[sepIdx] = 0;
++ if (strlen(sep2 + 1) >= sizeof(szVal)) {
++ fprintf(stderr, "Badly formatted option %s - value is too long\n", opt_string);
++ return;
++ }
+ strcpy(szVal, sep2+1);
+ }
+
+@@ -1656,7 +1670,14 @@ int mp4client_main(int argc, char **argv
+ else if (!gui_mode && url_arg) {
+ char *ext;
+
+- strcpy(the_url, url_arg);
++ if (strlen(url_arg) >= sizeof(the_url)) {
++ fprintf(stderr, "Input url %s is too long, truncating to %d chars.\n", url_arg, (int)(sizeof(the_url) - 1));
++ strncpy(the_url, url_arg, sizeof(the_url)-1);
++ the_url[sizeof(the_url) - 1] = 0;
++ }
++ else {
++ strcpy(the_url, url_arg);
++ }
+ ext = strrchr(the_url, '.');
+ if (ext && (!stricmp(ext, ".m3u") || !stricmp(ext, ".pls"))) {
+ GF_Err e = GF_OK;
+@@ -1668,7 +1689,10 @@ int mp4client_main(int argc, char **argv
+ GF_DownloadSession *sess = gf_dm_sess_new(term->downloader, the_url, GF_NETIO_SESSION_NOT_THREADED, NULL, NULL, &e);
+ if (sess) {
+ e = gf_dm_sess_process(sess);
+- if (!e) strcpy(the_url, gf_dm_sess_get_cache_name(sess));
++ if (!e) {
++ strncpy(the_url, gf_dm_sess_get_cache_name(sess), sizeof(the_url) - 1);
++ the_url[sizeof(the_cfg) - 1] = 0;
++ }
+ gf_dm_sess_del(sess);
+ }
+ }
+@@ -1691,7 +1715,8 @@ int mp4client_main(int argc, char **argv
+ fprintf(stderr, "Hit 'h' for help\n\n");
+ str = gf_cfg_get_key(cfg_file, "General", "StartupFile");
+ if (str) {
+- strcpy(the_url, "MP4Client "GPAC_FULL_VERSION);
++ strncpy(the_url, "MP4Client "GPAC_FULL_VERSION , sizeof(the_url)-1);
++ the_url[sizeof(the_url) - 1] = 0;
+ gf_term_connect(term, str);
+ startup_file = 1;
+ is_connected = 1;
+--- a/modules/ffmpeg_in/ffmpeg_demux.c
++++ b/modules/ffmpeg_in/ffmpeg_demux.c
+@@ -227,7 +227,7 @@ static Bool FFD_CanHandleURL(GF_InputSer
+ AVFormatContext *ctx;
+ AVOutputFormat *fmt_out;
+ Bool ret = GF_FALSE;
+- char *ext, szName[1000], szExt[20];
++ char *ext, szName[1024], szExt[20];
+ const char *szExtList;
+ FFDemux *ffd;
+ if (!plug || !url)
+@@ -243,6 +243,9 @@ static Bool FFD_CanHandleURL(GF_InputSer
+
+ ffd = (FFDemux*)plug->priv;
+
++ if (strlen(url) >= sizeof(szName))
++ return GF_FALSE;
++
+ strcpy(szName, url);
+ ext = strrchr(szName, '#');
+ if (ext) ext[0] = 0;
+@@ -252,7 +255,7 @@ static Bool FFD_CanHandleURL(GF_InputSer
+ ext = strrchr(szName, '.');
+ if (ext && strlen(ext) > 19) ext = NULL;
+
+- if (ext && strlen(ext) > 1) {
++ if (ext && strlen(ext) > 1 && strlen(ext) <= sizeof(szExt)) {
+ strcpy(szExt, &ext[1]);
+ strlwr(szExt);
+ #ifndef FFMPEG_DEMUX_ENABLE_MPEG2TS
+--- a/src/scene_manager/scene_manager.c
++++ b/src/scene_manager/scene_manager.c
+@@ -646,6 +646,10 @@ GF_Err gf_sm_load_init(GF_SceneLoader *l
+ ext[0] = '.';
+ ext = anext;
+ }
++ if (strlen(ext) < 2 || strlen(ext) > sizeof(szExt)) {
++ GF_LOG(GF_LOG_ERROR, GF_LOG_SCENE, ("[Scene Manager] invalid extension in file name %s\n", load->fileName));
++ return GF_NOT_SUPPORTED;
++ }
+ strcpy(szExt, &ext[1]);
+ strlwr(szExt);
+ if (strstr(szExt, "bt")) load->type = GF_SM_LOAD_BT;
fix some exploitable overflows (#994, #997)
-diff --git a/include/gpac/tools.h b/include/gpac/tools.h
-index dbc3cebf3..15483d7d6 100644
--- a/include/gpac/tools.h
+++ b/include/gpac/tools.h
-@@ -1067,6 +1067,7 @@ void gf_fm_request_call(u32 type, u32 param, int *value);
+@@ -1067,6 +1067,7 @@ void gf_fm_request_call(u32 type, u32 pa
/* \endcond */
#ifdef __cplusplus
}
-diff --git a/src/isomedia/avc_ext.c b/src/isomedia/avc_ext.c
-index c1096f872..c59f2ce97 100644
--- a/src/isomedia/avc_ext.c
+++ b/src/isomedia/avc_ext.c
-@@ -2413,6 +2413,8 @@ GF_Err gf_isom_oinf_read_entry(void *entry, GF_BitStream *bs)
+@@ -2361,6 +2361,8 @@ GF_Err gf_isom_oinf_read_entry(void *ent
op->output_layer_set_idx = gf_bs_read_u16(bs);
op->max_temporal_id = gf_bs_read_u8(bs);
op->layer_count = gf_bs_read_u8(bs);
for (j = 0; j < op->layer_count; j++) {
op->layers_info[j].ptl_idx = gf_bs_read_u8(bs);
op->layers_info[j].layer_id = gf_bs_read_int(bs, 6);
-diff --git a/src/media_tools/av_parsers.c b/src/media_tools/av_parsers.c
-index b9b5acdbb..27a6807d9 100644
--- a/src/media_tools/av_parsers.c
+++ b/src/media_tools/av_parsers.c
-@@ -2385,6 +2385,10 @@ s32 gf_media_avc_read_sps(const char *sps_data, u32 sps_size, AVCState *avc, u32
+@@ -2386,6 +2386,10 @@ s32 gf_media_avc_read_sps(const char *sp
sps->offset_for_non_ref_pic = bs_get_se(bs);
sps->offset_for_top_to_bottom_field = bs_get_se(bs);
sps->poc_cycle_length = bs_get_ue(bs);
projects / gpac.git / commitdiff