CVE-2018-20762

author Debian Multimedia Maintainers <debian-multimedia@lists.debian.org>

Sat, 14 Nov 2020 02:27:34 +0000 (21:27 -0500)

committer Reinhard Tartler <siretart@tauware.de>

Sat, 14 Nov 2020 02:27:34 +0000 (21:27 -0500)
author Debian Multimedia Maintainers <debian-multimedia@lists.debian.org>
Sat, 14 Nov 2020 02:27:34 +0000 (21:27 -0500)
committer Reinhard Tartler <siretart@tauware.de>
Sat, 14 Nov 2020 02:27:34 +0000 (21:27 -0500)
diff --git a/applications/mp4box/fileimport.c b/applications/mp4box/fileimport.c

index 437110b43d760ff112acd691ffd93252a60a1c23..e719924a0b0d4ca7a73288d0ba4623b692e14848 100644 (file)
--- a/applications/mp4box/fileimport.c
+++ b/applications/mp4box/fileimport.c
@@ -2247,17 +2247,33 @@ GF_Err cat_multiple_files(GF_ISOFile *dest, char *fileName, u32 import_flags, Do
         cat_enum.align_timelines = align_timelines;
         cat_enum.allow_add_in_command = allow_add_in_command;
  
+       if (strlen(fileName) >= sizeof(cat_enum.szPath)) {
+               GF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, ("File name %s is too long.\n", fileName));
+               return GF_NOT_SUPPORTED;
+       }
         strcpy(cat_enum.szPath, fileName);
         sep = strrchr(cat_enum.szPath, GF_PATH_SEPARATOR);
         if (!sep) sep = strrchr(cat_enum.szPath, '/');
         if (!sep) {
                 strcpy(cat_enum.szPath, ".");
+               if (strlen(fileName) >= sizeof(cat_enum.szRad1)) {
+                       GF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, ("File name %s is too long.\n", fileName));
+                       return GF_NOT_SUPPORTED;
+               }
                 strcpy(cat_enum.szRad1, fileName);
         } else {
+               if (strlen(sep + 1) >= sizeof(cat_enum.szRad1)) {
+                       GF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, ("File name %s is too long.\n", (sep + 1)));
+                       return GF_NOT_SUPPORTED;
+               }
                 strcpy(cat_enum.szRad1, sep+1);
                 sep[0] = 0;
         }
         sep = strchr(cat_enum.szRad1, '*');
+       if (strlen(sep + 1) >= sizeof(cat_enum.szRad2)) {
+               GF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, ("File name %s is too long.\n", (sep + 1)));
+               return GF_NOT_SUPPORTED;
+       }
         strcpy(cat_enum.szRad2, sep+1);
         sep[0] = 0;
         sep = strchr(cat_enum.szRad2, '%');
@@ -2265,6 +2281,10 @@ GF_Err cat_multiple_files(GF_ISOFile *dest, char *fileName, u32 import_flags, Do
         if (!sep) sep = strchr(cat_enum.szRad2, ':');
         strcpy(cat_enum.szOpt, "");
         if (sep) {
+               if (strlen(sep) >= sizeof(cat_enum.szOpt)) {
+                       GF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, ("Invalid option: %s.\n", sep));
+                       return GF_NOT_SUPPORTED;
+               }
                 strcpy(cat_enum.szOpt, sep);
                 sep[0] = 0;
         }
diff --git a/applications/mp4client/main.c b/applications/mp4client/main.c

index 397bf6cfc68afd8dfc499dcc0d362b864951d1cd..63b4651d6c437d467ec8c798b9ef60cbda26658f 100644 (file)
--- a/applications/mp4client/main.c
+++ b/applications/mp4client/main.c
@@ -900,7 +900,8 @@ Bool GPAC_EventProc(void *ptr, GF_Event *evt)
                 break;
         case GF_EVENT_NAVIGATE:
                 if (gf_term_is_supported_url(term, evt->navigate.to_url, 1, no_mime_check)) {
-                       strcpy(the_url, evt->navigate.to_url);
+                       strncpy(the_url, evt->navigate.to_url, sizeof(the_url)-1);
+                       the_url[sizeof(the_url) - 1] = 0;
                         fprintf(stderr, "Navigating to URL %s\n", the_url);
                         gf_term_navigate_to(term, evt->navigate.to_url);
                         return 1;
@@ -1089,6 +1090,11 @@ void set_cfg_option(char *opt_string)
         }
         {
                 const size_t sepIdx = sep - opt_string;
+               if (sepIdx >= sizeof(szSec)) {
+                       fprintf(stderr, "Badly formatted option %s - Section name is too long\n", opt_string);
+                       return;
+               }
+
                 strncpy(szSec, opt_string, sepIdx);
                 szSec[sepIdx] = 0;
         }
@@ -1100,8 +1106,16 @@ void set_cfg_option(char *opt_string)
         }
         {
                 const size_t sepIdx = sep2 - sep;
+               if (sepIdx >= sizeof(szKey)) {
+                       fprintf(stderr, "Badly formatted option %s - key name is too long\n", opt_string);
+                       return;
+               }
                 strncpy(szKey, sep, sepIdx);
                 szKey[sepIdx] = 0;
+               if (strlen(sep2 + 1) >= sizeof(szVal)) {
+                       fprintf(stderr, "Badly formatted option %s - value is too long\n", opt_string);
+                       return;
+               }
                 strcpy(szVal, sep2+1);
         }
  
@@ -1656,7 +1670,14 @@ int mp4client_main(int argc, char **argv)
         else if (!gui_mode && url_arg) {
                 char *ext;
  
-               strcpy(the_url, url_arg);
+               if (strlen(url_arg) >= sizeof(the_url)) {
+                       fprintf(stderr, "Input url %s is too long, truncating to %d chars.\n", url_arg, (int)(sizeof(the_url) - 1));
+                       strncpy(the_url, url_arg, sizeof(the_url)-1);
+                       the_url[sizeof(the_url) - 1] = 0;
+               }
+               else {
+                       strcpy(the_url, url_arg);
+               }
                 ext = strrchr(the_url, '.');
                 if (ext && (!stricmp(ext, ".m3u") || !stricmp(ext, ".pls"))) {
                         GF_Err e = GF_OK;
@@ -1668,7 +1689,10 @@ int mp4client_main(int argc, char **argv)
                                 GF_DownloadSession *sess = gf_dm_sess_new(term->downloader, the_url, GF_NETIO_SESSION_NOT_THREADED, NULL, NULL, &e);
                                 if (sess) {
                                         e = gf_dm_sess_process(sess);
-                                       if (!e) strcpy(the_url, gf_dm_sess_get_cache_name(sess));
+                                       if (!e) {
+                                               strncpy(the_url, gf_dm_sess_get_cache_name(sess), sizeof(the_url) - 1);
+                                               the_url[sizeof(the_cfg) - 1] = 0;
+                                       }
                                         gf_dm_sess_del(sess);
                                 }
                         }
@@ -1691,7 +1715,8 @@ int mp4client_main(int argc, char **argv)
                 fprintf(stderr, "Hit 'h' for help\n\n");
                 str = gf_cfg_get_key(cfg_file, "General", "StartupFile");
                 if (str) {
-                       strcpy(the_url, "MP4Client "GPAC_FULL_VERSION);
+                       strncpy(the_url, "MP4Client "GPAC_FULL_VERSION , sizeof(the_url)-1);
+                       the_url[sizeof(the_url) - 1] = 0;
                         gf_term_connect(term, str);
                         startup_file = 1;
                         is_connected = 1;
diff --git a/modules/ffmpeg_in/ffmpeg_demux.c b/modules/ffmpeg_in/ffmpeg_demux.c

index a674c68d2f187251b1026d1793acfbcb19991ae1..21826c3c369a9729ff483bdd1992bcae7a19f89a 100644 (file)
--- a/modules/ffmpeg_in/ffmpeg_demux.c
+++ b/modules/ffmpeg_in/ffmpeg_demux.c
@@ -227,7 +227,7 @@ static Bool FFD_CanHandleURL(GF_InputService *plug, const char *url)
         AVFormatContext *ctx;
         AVOutputFormat *fmt_out;
         Bool ret = GF_FALSE;
-       char *ext, szName[1000], szExt[20];
+       char *ext, szName[1024], szExt[20];
         const char *szExtList;
         FFDemux *ffd;
         if (!plug || !url)
@@ -243,6 +243,9 @@ static Bool FFD_CanHandleURL(GF_InputService *plug, const char *url)
  
         ffd = (FFDemux*)plug->priv;
  
+       if (strlen(url) >= sizeof(szName))
+               return GF_FALSE;
+
         strcpy(szName, url);
         ext = strrchr(szName, '#');
         if (ext) ext[0] = 0;
@@ -252,7 +255,7 @@ static Bool FFD_CanHandleURL(GF_InputService *plug, const char *url)
         ext = strrchr(szName, '.');
         if (ext && strlen(ext) > 19) ext = NULL;
  
-       if (ext && strlen(ext) > 1) {
+       if (ext && strlen(ext) > 1 && strlen(ext) <= sizeof(szExt)) {
                 strcpy(szExt, &ext[1]);
                 strlwr(szExt);
  #ifndef FFMPEG_DEMUX_ENABLE_MPEG2TS
diff --git a/src/scene_manager/scene_manager.c b/src/scene_manager/scene_manager.c

index 263819340954e3f2c19679ff63a19644f47c7aea..0cf297b92d151d5581896c7c37094b575e4fdcb3 100644 (file)
--- a/src/scene_manager/scene_manager.c
+++ b/src/scene_manager/scene_manager.c
@@ -646,6 +646,10 @@ GF_Err gf_sm_load_init(GF_SceneLoader *load)
                                 ext[0] = '.';
                                 ext = anext;
                         }
+                       if (strlen(ext) < 2 || strlen(ext) > sizeof(szExt)) {
+                               GF_LOG(GF_LOG_ERROR, GF_LOG_SCENE, ("[Scene Manager] invalid extension in file name %s\n", load->fileName));
+                               return GF_NOT_SUPPORTED;
+                       }
                         strcpy(szExt, &ext[1]);
                         strlwr(szExt);
                         if (strstr(szExt, "bt")) load->type = GF_SM_LOAD_BT;
author	Debian Multimedia Maintainers <debian-multimedia@lists.debian.org>
	Sat, 14 Nov 2020 02:27:34 +0000 (21:27 -0500)
committer	Reinhard Tartler <siretart@tauware.de>
	Sat, 14 Nov 2020 02:27:34 +0000 (21:27 -0500)
applications/mp4box/fileimport.c		patch \| blob \| history
applications/mp4client/main.c		patch \| blob \| history
modules/ffmpeg_in/ffmpeg_demux.c		patch \| blob \| history
src/scene_manager/scene_manager.c		patch \| blob \| history