Fix stack overflow in MP4Box CVE-2022-1441

diff --git a/debian/patches/CVE-2022-1441.patch b/debian/patches/CVE-2022-1441.patch
new file mode 100644 (file)
index 0000000..61bc101
--- /dev/null
+++ b/debian/patches/CVE-2022-1441.patch
@@ -0,0 +1,35 @@
+commit 3dbe11b37d65c8472faf0654410068e5500b3adb
+Author: jeanlf <jeanlf@gpac.io>
+Date:   Tue Apr 19 09:15:58 2022 +0200
+
+    fixed #2175
+
+diff --git a/src/isomedia/box_code_3gpp.c b/src/isomedia/box_code_3gpp.c
+index 3f9ff0569..928a5575f 100644
+--- a/src/isomedia/box_code_3gpp.c
++++ b/src/isomedia/box_code_3gpp.c
+@@ -1128,20 +1128,12 @@ void diST_box_del(GF_Box *s)
+ 
+ GF_Err diST_box_read(GF_Box *s, GF_BitStream *bs)
+ {
+-      u32 i;
+-      char str[1024];
+       GF_DIMSScriptTypesBox *p = (GF_DIMSScriptTypesBox *)s;
+ 
+-      i=0;
+-      str[0]=0;
+-      while (1) {
+-              str[i] = gf_bs_read_u8(bs);
+-              if (!str[i]) break;
+-              i++;
+-      }
+-      ISOM_DECREASE_SIZE(p, i);
+-
+-      p->content_script_types = gf_strdup(str);
++      p->content_script_types = gf_malloc(sizeof(char) * (s->size+1));
++      if (!p->content_script_types) return GF_OUT_OF_MEM;
++      gf_bs_read_data(bs, p->content_script_types, s->size);
++      p->content_script_types[s->size] = 0;
+       return GF_OK;
+ }
+ 

diff --git a/debian/patches/series b/debian/patches/series
index b092b05c41f4a29a374dbcb14a78148b5a5fce26..bc5ddc8879e0effacc29c90111f06b3e52852344 100644 (file)
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -6,3 +6,4 @@ CVE-2022-30976.patch
 CVE-2022-1035.patch
 CVE-2022-1172.patch
 CVE-2022-1222.patch
+CVE-2022-1441.patch
\ No newline at end of file