[PATCH] fixed #2046

Gbp-Pq: Name CVE-2022-24577.patch

diff --git a/src/isomedia/box_code_base.c b/src/isomedia/box_code_base.c
index 4de52f0d0e5a5ccb0b7b41e4b7b2b745e18379d1..968ead0a2c848040a1e9d0572dcacc8e1b177ba8 100644 (file)
--- a/src/isomedia/box_code_base.c
+++ b/src/isomedia/box_code_base.c
@@ -2835,7 +2835,17 @@ GF_Err iods_box_read(GF_Box *s, GF_BitStream *bs)
        e = gf_odf_desc_read(desc, descSize, &ptr->descriptor);
        //OK, free our desc
        gf_free(desc);
-       return e;
+
+       if (e) return e;
+       switch (ptr->descriptor->tag) {
+       case GF_ODF_ISOM_OD_TAG:
+       case GF_ODF_ISOM_IOD_TAG:
+               break;
+       default:
+               GF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, ("[iso file] Invalid descriptor in iods, tag %u found but only %u or %u allowed\n", ptr->descriptor->tag, GF_ODF_ISOM_IOD_TAG, GF_ODF_ISOM_OD_TAG ));
+               return GF_ISOM_INVALID_FILE;
+       }
+       return GF_OK;
 }
 
 GF_Box *iods_box_new()
@@ -5061,6 +5071,32 @@ GF_Err stbl_box_read(GF_Box *s, GF_BitStream *bs)
                if (!ptr->TimeToSample->nb_entries || !ptr->SampleToChunk->nb_entries)
                        return GF_ISOM_INVALID_FILE;
        }
+       u32 i, max_chunks=0;
+       if (ptr->ChunkOffset->type == GF_ISOM_BOX_TYPE_STCO) {
+               max_chunks = ((GF_ChunkOffsetBox *)ptr->ChunkOffset)->nb_entries;
+       }
+       else if (ptr->ChunkOffset->type == GF_ISOM_BOX_TYPE_CO64) {
+               max_chunks = ((GF_ChunkOffsetBox *)ptr->ChunkOffset)->nb_entries;
+       }
+
+       //sanity check on stsc vs chunk offset tables
+       for (i=0; i<ptr->SampleToChunk->nb_entries; i++) {
+               GF_StscEntry *ent = &ptr->SampleToChunk->entries[i];
+               if (!i && (ent->firstChunk!=1)) {
+                       GF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, ("[iso file] first_chunk of first entry shall be 1 but is %u\n", ent->firstChunk));
+                       return GF_ISOM_INVALID_FILE;
+               }
+               if (ptr->SampleToChunk->entries[i].firstChunk > max_chunks) {
+                       GF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, ("[iso file] first_chunk is %u but number of chunks defined %u\n", ptr->SampleToChunk->entries[i].firstChunk, max_chunks));
+                       return GF_ISOM_INVALID_FILE;
+               }
+               if (i+1 == ptr->SampleToChunk->nb_entries) break;
+               GF_StscEntry *next_ent = &ptr->SampleToChunk->entries[i+1];
+               if (next_ent->firstChunk < ent->firstChunk) {
+                       GF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, ("[iso file] first_chunk (%u) for entry %u is greater than first_chunk (%u) for entry %u\n", i+1, ent->firstChunk, i+2, next_ent->firstChunk));
+                       return GF_ISOM_INVALID_FILE;
+               }
+       }
        return GF_OK;
 }
 

diff --git a/src/isomedia/isom_write.c b/src/isomedia/isom_write.c
index 9ec3c37e40e33402165e73b24786059a0600a55d..1e3366f03cae23553870bfe43ebf72b81c21c792 100644 (file)
--- a/src/isomedia/isom_write.c
+++ b/src/isomedia/isom_write.c
@@ -2640,6 +2640,7 @@ GF_Err gf_isom_remove_track(GF_ISOFile *movie, u32 trackNumber)
        i=0;
        while ((trak = (GF_TrackBox *)gf_list_enum(movie->moov->trackList, &i))) {
                if (trak->Media->handler->handlerType != GF_ISOM_MEDIA_OD) continue;
+
                //this is an OD track...
                j = gf_isom_get_sample_count(movie, i);
                for (k=0; k < j; k++) {
@@ -2663,7 +2664,6 @@ GF_Err gf_isom_remove_track(GF_ISOFile *movie, u32 trackNumber)
        //note that we don't touch scal references, as we don't want to rewrite AVC/HEVC samples ...
        i=0;
        while ((trak = (GF_TrackBox *)gf_list_enum(movie->moov->trackList, &i))) {
-               if (trak == the_trak) continue;
                if (! trak->References || ! gf_list_count(trak->References->child_boxes)) continue;
 
                j=0;