CVE-2022-24574

Origin: https://github.com/gpac/gpac/commit/9f8510835b97a729baf3646a3171bf51b4a8592e
Reviewed-by: Aron Xu <aron@debian.org>
From 9f8510835b97a729baf3646a3171bf51b4a8592e Mon Sep 17 00:00:00 2001
From: jeanlf <jeanlf@gpac.io>
Date: Wed, 19 Jan 2022 12:12:43 +0100
Subject: [PATCH] fixed #2055

Gbp-Pq: Name CVE-2022-24574.patch

diff --git a/src/filters/isoffin_read_ch.c b/src/filters/isoffin_read_ch.c
index b5e0df314dadf96f5b5997544a17eceb22a289b8..a995f9abc76e62446b172613de2b350223c2786c 100644 (file)
--- a/src/filters/isoffin_read_ch.c
+++ b/src/filters/isoffin_read_ch.c
@@ -365,10 +365,10 @@ void isor_reader_get_sample(ISOMChannel *ch)
                                        ch->sample_num--;
                        } else {
                                if (ch->to_init && ch->sample_num) {
-                                       GF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, ("[IsoMedia] Failed to fetch initial sample %d for track %d\n"));
+                                       GF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, ("[IsoMedia] Failed to fetch initial sample %d for track %d\n", ch->sample_num, ch->track));
                                        ch->last_state = GF_ISOM_INVALID_FILE;
-                               }
-                               if (ch->sample_num >= gf_isom_get_sample_count(ch->owner->mov, ch->track)) {
+                               } else {
+                                       GF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, ("[IsoMedia] File truncated, aborting read for track %d\n", ch->track));
                                        ch->last_state = GF_EOS;
                                }
                        }
@@ -391,6 +391,9 @@ void isor_reader_get_sample(ISOMChannel *ch)
                        }
                } else {
                        GF_LOG(GF_LOG_DEBUG, GF_LOG_DASH, ("[IsoMedia] Track #%d fail to fetch sample %d / %d: %s\n", ch->track, ch->sample_num, gf_isom_get_sample_count(ch->owner->mov, ch->track), gf_error_to_string(gf_isom_last_error(ch->owner->mov)) ));
+                        if ((e<GF_OK) && (e!=GF_ISOM_INCOMPLETE_FILE)) {
+                                ch->last_state = GF_EOS;
+                        }
                }
                return;
        }

diff --git a/src/media_tools/media_export.c b/src/media_tools/media_export.c
index f8168f90bf3a0805d2147b206baf22de6bd21897..0fa7388f1a98cc406f6a4f0741c9e18cf76644f8 100644 (file)
--- a/src/media_tools/media_export.c
+++ b/src/media_tools/media_export.c
@@ -1038,6 +1038,11 @@ GF_Err gf_media_export_saf(GF_MediaExporter *dumper)
                        GF_ISOSample *samp;
                        if (safs[i].last_sample==safs[i].nb_samp) continue;
                        samp = gf_isom_get_sample(dumper->file, safs[i].track_num, safs[i].last_sample + 1, &di);
+                       if (!samp) {
+                               gf_saf_mux_del(mux);
+                               return gf_isom_last_error(dumper->file);
+                       }
+
                        gf_saf_mux_add_au(mux, safs[i].stream_id, (u32) (samp->DTS+samp->CTS_Offset), samp->data, samp->dataLength, (samp->IsRAP==RAP) ? 1 : 0);
                        /*data is kept by muxer!!*/
                        gf_free(samp);

diff --git a/src/scene_manager/scene_dump.c b/src/scene_manager/scene_dump.c
index 14dae93f1454ff3a91121361d0757ddef048a624..c0194a8ad841fd96dff879712f40253893dc2724 100644 (file)
--- a/src/scene_manager/scene_dump.c
+++ b/src/scene_manager/scene_dump.c
@@ -937,10 +937,12 @@ static void gf_dump_vrml_field(GF_SceneDumper *sdump, GF_Node *node, GF_FieldInf
                }
 
                if (!sdump->XMLDump) gf_fprintf(sdump->trace, "[");
-               for (i=0; i<mffield->count; i++) {
-                       if (i) gf_fprintf(sdump->trace, " ");
-                       gf_sg_vrml_mf_get_item(field.far_ptr, field.fieldType, &slot_ptr, i);
-                       gf_dump_vrml_sffield(sdump, sf_type, slot_ptr, 1, node);
+               if (mffield) {
+                       for (i=0; i<mffield->count; i++) {
+                               if (i) gf_fprintf(sdump->trace, " ");
+                               gf_sg_vrml_mf_get_item(field.far_ptr, field.fieldType, &slot_ptr, i);
+                               gf_dump_vrml_sffield(sdump, sf_type, slot_ptr, 1, node);
+                       }
                }
                if (!sdump->XMLDump) gf_fprintf(sdump->trace, "]");
 
@@ -1258,11 +1260,13 @@ static void gf_dump_vrml_proto_field(GF_SceneDumper *sdump, GF_Node *node, GF_Fi
                                } else {
                                        gf_fprintf(sdump->trace, " %s=\"", GetXMTFieldTypeValueName(field.fieldType));
                                }
-                               for (i=0; i<mffield->count; i++) {
-                                       if (i) gf_fprintf(sdump->trace, " ");
-                                       if (field.fieldType != GF_SG_VRML_MFNODE) {
-                                               gf_sg_vrml_mf_get_item(field.far_ptr, field.fieldType, &slot_ptr, i);
-                                               gf_dump_vrml_sffield(sdump, sf_type, slot_ptr, (mffield->count>1) ? 1 : 0, node);
+                               if (mffield) {
+                                       for (i=0; i<mffield->count; i++) {
+                                               if (i) gf_fprintf(sdump->trace, " ");
+                                               if (field.fieldType != GF_SG_VRML_MFNODE) {
+                                                       gf_sg_vrml_mf_get_item(field.far_ptr, field.fieldType, &slot_ptr, i);
+                                                       gf_dump_vrml_sffield(sdump, sf_type, slot_ptr, (mffield->count>1) ? 1 : 0, node);
+                                               }
                                        }
                                }
                                gf_fprintf(sdump->trace, "\"/>\n");