[PATCH] fixed #1733

Gbp-Pq: Name CVE-2021-31255.patch

diff --git a/src/isomedia/box_code_adobe.c b/src/isomedia/box_code_adobe.c
index ab5115f25a439f6f13850c321e581df77b96d6a8..711d84bf0d95c57bee27a17573a30b8a52826143 100644 (file)
--- a/src/isomedia/box_code_adobe.c
+++ b/src/isomedia/box_code_adobe.c
@@ -79,6 +79,7 @@ GF_Err abst_box_read(GF_Box *s, GF_BitStream *bs)
        int i;
        u32 tmp_strsize;
        char *tmp_str;
+       Bool zfound=GF_FALSE;
        GF_Err e;
 
        ISOM_DECREASE_SIZE(ptr, 25)
@@ -102,10 +103,14 @@ GF_Err abst_box_read(GF_Box *s, GF_BitStream *bs)
                ISOM_DECREASE_SIZE(ptr, 1)
                tmp_str[i] = gf_bs_read_u8(bs);
                tmp_strsize--;
-               if (!tmp_str[i])
+               if (!tmp_str[i]) {
+                       zfound = GF_TRUE;
                        break;
+               }
                i++;
        }
+       if (!zfound)
+               return GF_ISOM_INVALID_FILE;
        if (i) {
                ptr->movie_identifier = gf_strdup(tmp_str);
        }
@@ -114,15 +119,20 @@ GF_Err abst_box_read(GF_Box *s, GF_BitStream *bs)
        ptr->server_entry_count = gf_bs_read_u8(bs);
        for (i=0; i<ptr->server_entry_count; i++) {
                int j=0;
+               zfound = GF_FALSE;
                tmp_strsize=(u32)ptr->size;
                while (tmp_strsize) {
                        ISOM_DECREASE_SIZE(ptr, 1)
                        tmp_str[j] = gf_bs_read_u8(bs);
                        tmp_strsize--;
-                       if (!tmp_str[j])
+                       if (!tmp_str[j]) {
+                               zfound = GF_TRUE;
                                break;
+                       }
                        j++;
                }
+               if (!zfound)
+                       return GF_ISOM_INVALID_FILE;
                if (j) {
                        gf_list_insert(ptr->server_entry_table, gf_strdup(tmp_str), i);
                }
@@ -132,16 +142,21 @@ GF_Err abst_box_read(GF_Box *s, GF_BitStream *bs)
        ptr->quality_entry_count = gf_bs_read_u8(bs);
        for (i=0; i<ptr->quality_entry_count; i++) {
                int j=0;
+               zfound = GF_FALSE;
                tmp_strsize=(u32)ptr->size;
                while (tmp_strsize) {
                        ISOM_DECREASE_SIZE(ptr, 1)
                        tmp_str[j] = gf_bs_read_u8(bs);
                        tmp_strsize--;
-                       if (!tmp_str[j])
+                       if (!tmp_str[j]) {
+                               zfound = GF_TRUE;
                                break;
+                       }
                        j++;
                }
 
+               if (!zfound)
+                       return GF_ISOM_INVALID_FILE;
                if (j) {
                        gf_list_insert(ptr->quality_entry_table, gf_strdup(tmp_str), i);
                }
@@ -149,28 +164,38 @@ GF_Err abst_box_read(GF_Box *s, GF_BitStream *bs)
 
        i=0;
        tmp_strsize=(u32)ptr->size;
+       zfound = GF_FALSE;
        while (tmp_strsize) {
                ISOM_DECREASE_SIZE(ptr, 1)
                tmp_str[i] = gf_bs_read_u8(bs);
                tmp_strsize--;
-               if (!tmp_str[i])
+               if (!tmp_str[i]) {
+                       zfound = GF_TRUE;
                        break;
+               }
                i++;
        }
+       if (!zfound)
+               return GF_ISOM_INVALID_FILE;
        if (i) {
                ptr->drm_data = gf_strdup(tmp_str);
        }
 
        i=0;
        tmp_strsize=(u32)ptr->size;
+       zfound = GF_FALSE;
        while (tmp_strsize) {
                ISOM_DECREASE_SIZE(ptr, 1)
                tmp_str[i] = gf_bs_read_u8(bs);
                tmp_strsize--;
-               if (!tmp_str[i])
+               if (!tmp_str[i]) {
+                       zfound = GF_TRUE;
                        break;
+               }
                i++;
        }
+       if (!zfound)
+               return GF_ISOM_INVALID_FILE;
        if (i) {
                ptr->meta_data = gf_strdup(tmp_str);
        }