CVE-2022-38530

Origin: https://github.com/gpac/gpac/commit/4e56ad72ac1afb4e049a10f2d99e7512d7141f9d
Reviewed-by: Aron Xu <aron@debian.org>
From 4e56ad72ac1afb4e049a10f2d99e7512d7141f9d Mon Sep 17 00:00:00 2001
From: jeanlf <jeanlf@gpac.io>
Date: Tue, 12 Jul 2022 18:29:36 +0200
Subject: [PATCH] fixed #2216

Gbp-Pq: Name CVE-2022-38530.patch

diff --git a/applications/mp4box/main.c b/applications/mp4box/main.c
index aec7ef6d9fd368204375c2b591e3c85de08e8c2c..34291e679f25028dec2004c938fa4506fd35d2a8 100644 (file)
--- a/applications/mp4box/main.c
+++ b/applications/mp4box/main.c
@@ -1359,7 +1359,7 @@ GF_Err HintFile(GF_ISOFile *file, u32 MTUSize, u32 max_ptime, u32 rtp_rate, u32
 
                if (e) {
                        fprintf(stderr, "Error while hinting (%s)\n", gf_error_to_string(e));
-                       if (!nb_done) return e;
+                       return e;
                }
                init_payt++;
                nb_done ++;

diff --git a/src/odf/desc_private.c b/src/odf/desc_private.c
index a22c7cca8caf07a1e5f858b89dde7fec38fc2cd0..33313f12fb1e0826f57772e38c67e1976340cbbb 100644 (file)
--- a/src/odf/desc_private.c
+++ b/src/odf/desc_private.c
@@ -273,7 +273,7 @@ GF_Err gf_odf_delete_descriptor(GF_Descriptor *desc)
 //
 //             READERS
 //
-GF_Err gf_odf_read_descriptor(GF_BitStream *bs, GF_Descriptor *desc, u32 DescSize)
+static GF_Err gf_odf_read_descriptor_internal(GF_BitStream *bs, GF_Descriptor *desc, u32 DescSize)
 {
        switch (desc->tag) {
        case GF_ODF_IOD_TAG :
@@ -368,7 +368,17 @@ GF_Err gf_odf_read_descriptor(GF_BitStream *bs, GF_Descriptor *desc, u32 DescSiz
        return GF_OK;
 }
 
-
+GF_Err gf_odf_read_descriptor(GF_BitStream *bs, GF_Descriptor *desc, u32 DescSize)
+{
+       u64 cookie = gf_bs_get_cookie(bs);
+       //we allow 100 max desc in a hierarchy - see issue 2216
+       if (cookie>100)
+               return GF_NON_COMPLIANT_BITSTREAM;
+       gf_bs_set_cookie(bs, cookie+1);
+       GF_Err e = gf_odf_read_descriptor_internal(bs, desc, DescSize);
+       gf_bs_set_cookie(bs, cookie);
+       return e;
+}