--- /dev/null
+Backport of https://github.com/gpac/gpac/commit/b515fd04f5f00f4a99df741042f1efb31ad56351
+https://talosintelligence.com/vulnerability_reports/TALOS-2021-1297
+
+--- gpac-1.0.1+dfsg1.orig/src/isomedia/box_code_base.c
++++ gpac-1.0.1+dfsg1/src/isomedia/box_code_base.c
+@@ -46,7 +46,7 @@ GF_Err co64_box_read(GF_Box *s,GF_BitStr
+
+ ISOM_DECREASE_SIZE(ptr, 4)
+
+- if (ptr->nb_entries > ptr->size / 8) {
++ if ((u64)ptr->nb_entries > ptr->size / 8 || (u64)ptr->nb_entries > (u64)SIZE_MAX/sizeof(u64)) {
+ GF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, ("[iso file] Invalid number of entries %d in co64\n", ptr->nb_entries));
+ return GF_ISOM_INVALID_FILE;
+ }
+@@ -392,7 +392,7 @@ GF_Err ctts_box_read(GF_Box *s, GF_BitSt
+ ISOM_DECREASE_SIZE(ptr, 4);
+ ptr->nb_entries = gf_bs_read_u32(bs);
+
+- if (ptr->nb_entries > ptr->size / 8) {
++ if (ptr->nb_entries > ptr->size / 8 || (u64)ptr->nb_entries > (u64)SIZE_MAX/sizeof(GF_DttsEntry) ) {
+ GF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, ("[iso file] Invalid number of entries %d in ctts\n", ptr->nb_entries));
+ return GF_ISOM_INVALID_FILE;
+ }
+@@ -3194,6 +3194,10 @@ GF_Err tfra_box_read(GF_Box *s, GF_BitSt
+ }
+
+ if (ptr->nb_entries) {
++ if ((u64)ptr->nb_entries > (u64)SIZE_MAX/sizeof(GF_RandomAccessEntry)) {
++ GF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, ("[iso file] Invalid number of entries %d in traf\n", ptr->nb_entries));
++ return GF_ISOM_INVALID_FILE;
++ }
+ p = (GF_RandomAccessEntry *) gf_malloc(sizeof(GF_RandomAccessEntry) * ptr->nb_entries);
+ if (!p) return GF_OUT_OF_MEM;
+ }
+@@ -5104,7 +5108,7 @@ GF_Err stco_box_read(GF_Box *s, GF_BitSt
+
+ ISOM_DECREASE_SIZE(ptr, 4);
+ ptr->nb_entries = gf_bs_read_u32(bs);
+- if (ptr->nb_entries > ptr->size / 4) {
++ if (ptr->nb_entries > ptr->size / 4 || (u64)ptr->nb_entries > (u64)SIZE_MAX/sizeof(u32)) {
+ GF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, ("[iso file] Invalid number of entries %d in stco\n", ptr->nb_entries));
+ return GF_ISOM_INVALID_FILE;
+ }
+@@ -5236,7 +5240,7 @@ GF_Err stsc_box_read(GF_Box *s, GF_BitSt
+ ISOM_DECREASE_SIZE(ptr, 4);
+ ptr->nb_entries = gf_bs_read_u32(bs);
+
+- if (ptr->nb_entries > ptr->size / 12) {
++ if (ptr->nb_entries > ptr->size / 12 || (u64)ptr->nb_entries > (u64)SIZE_MAX/sizeof(GF_StscEntry)) {
+ GF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, ("[iso file] Invalid number of entries %d in stsc\n", ptr->nb_entries));
+ return GF_ISOM_INVALID_FILE;
+ }
+@@ -5575,6 +5579,10 @@ GF_Err stsz_box_read(GF_Box *s, GF_BitSt
+ }
+ }
+ }
++ if (ptr->sampleCount && (u64)ptr->sampleCount > (u64)SIZE_MAX/sizeof(u32)) {
++ GF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, ("[iso file] Invalid number of entries %d in stsz\n", ptr->sampleCount));
++ return GF_ISOM_INVALID_FILE;
++ }
+ if (s->type == GF_ISOM_BOX_TYPE_STSZ) {
+ if (! ptr->sampleSize && ptr->sampleCount) {
+ if (ptr->sampleCount > ptr->size / 4) {
+@@ -5779,7 +5787,7 @@ GF_Err stts_box_read(GF_Box *s, GF_BitSt
+
+ ISOM_DECREASE_SIZE(ptr, 4);
+ ptr->nb_entries = gf_bs_read_u32(bs);
+- if (ptr->size < ptr->nb_entries * 8) {
++ if (ptr->size / 8 < ptr->nb_entries || (u64)ptr->nb_entries > (u64)SIZE_MAX/sizeof(GF_SttsEntry)) {
+ GF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, ("[iso file] Invalid number of entries %d in stts\n", ptr->nb_entries));
+ return GF_ISOM_INVALID_FILE;
+ }
+@@ -7276,6 +7284,10 @@ GF_Err trun_box_read(GF_Box *s, GF_BitSt
+ if (ptr->sample_count * 4 > ptr->size) {
+ ISOM_DECREASE_SIZE(ptr, ptr->sample_count*4);
+ }
++ if ((u64)ptr->sample_count > (u64)SIZE_MAX/sizeof(GF_TrunEntry)) {
++ GF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, ("[iso file] Invalid number of samples %d in trun\n", ptr->sample_count));
++ return GF_ISOM_INVALID_FILE;
++ }
+ ptr->samples = gf_malloc(sizeof(GF_TrunEntry) * ptr->sample_count);
+ if (!ptr->samples) return GF_OUT_OF_MEM;
+ ptr->sample_alloc = ptr->nb_samples = ptr->sample_count;
+@@ -8786,7 +8798,7 @@ GF_Err ssix_box_read(GF_Box *s, GF_BitSt
+ ISOM_DECREASE_SIZE(ptr, 4)
+ ptr->subsegment_count = gf_bs_read_u32(bs);
+ //each subseg has at least one range_count (4 bytes), abort if not enough bytes (broken box)
+- if (ptr->size < ptr->subsegment_count*4)
++ if (ptr->size / 4 < ptr->subsegment_count || (u64)ptr->subsegment_count > (u64)SIZE_MAX/sizeof(GF_SubsegmentInfo))
+ return GF_ISOM_INVALID_FILE;
+
+ GF_SAFE_ALLOC_N(ptr->subsegments, ptr->subsegment_count, GF_SubsegmentInfo);
+@@ -8797,7 +8809,7 @@ GF_Err ssix_box_read(GF_Box *s, GF_BitSt
+ ISOM_DECREASE_SIZE(ptr, 4)
+ subseg->range_count = gf_bs_read_u32(bs);
+ //each range is 4 bytes, abort if not enough bytes
+- if (ptr->size < subseg->range_count*4)
++ if (ptr->size / 4 < subseg->range_count || (u64)subseg->range_count > (u64)SIZE_MAX/sizeof(GF_SubsegmentRangeInfo))
+ return GF_ISOM_INVALID_FILE;
+ subseg->ranges = (GF_SubsegmentRangeInfo*) gf_malloc(sizeof(GF_SubsegmentRangeInfo) * subseg->range_count);
+ if (!subseg->ranges) return GF_OUT_OF_MEM;
+@@ -8979,6 +8991,11 @@ GF_Err pcrb_box_read(GF_Box *s,GF_BitStr
+ ISOM_DECREASE_SIZE(ptr, 4);
+ ptr->subsegment_count = gf_bs_read_u32(bs);
+
++ if ((u64)ptr->subsegment_count > ptr->size / 8 || (u64)ptr->subsegment_count > (u64)SIZE_MAX/sizeof(u64)) {
++ GF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, ("[iso file] Invalid number of subsegment %d in pcrb\n", ptr->subsegment_count));
++ return GF_ISOM_INVALID_FILE;
++ }
++
+ ptr->pcr_values = gf_malloc(sizeof(u64)*ptr->subsegment_count);
+ if (!ptr->pcr_values) return GF_OUT_OF_MEM;
+ for (i=0; i<ptr->subsegment_count; i++) {
+@@ -9303,7 +9320,7 @@ GF_Err sbgp_box_read(GF_Box *s, GF_BitSt
+ }
+ ptr->entry_count = gf_bs_read_u32(bs);
+
+- if (ptr->size < sizeof(GF_SampleGroupEntry)*ptr->entry_count)
++ if (ptr->size < sizeof(GF_SampleGroupEntry)*ptr->entry_count || (u64)ptr->entry_count > (u64)SIZE_MAX/sizeof(GF_SampleGroupEntry))
+ return GF_ISOM_INVALID_FILE;
+
+ ptr->sample_entries = gf_malloc(sizeof(GF_SampleGroupEntry)*ptr->entry_count);
+@@ -9860,7 +9877,7 @@ GF_Err saio_box_read(GF_Box *s, GF_BitSt
+
+ if (ptr->entry_count) {
+ u32 i;
+- if (ptr->size < (ptr->version == 0 ? 4 : 8) * ptr->entry_count)
++ if (ptr->size / (ptr->version == 0 ? 4 : 8) < ptr->entry_count || (u64)ptr->entry_count > (u64)SIZE_MAX/sizeof(u64))
+ return GF_ISOM_INVALID_FILE;
+ ptr->offsets = gf_malloc(sizeof(u64)*ptr->entry_count);
+ if (!ptr->offsets)
+@@ -10368,7 +10385,7 @@ GF_Err fpar_box_read(GF_Box *s, GF_BitSt
+
+ ISOM_DECREASE_SIZE(ptr, (ptr->version ? 4 : 2) );
+ ptr->nb_entries = gf_bs_read_int(bs, ptr->version ? 32 : 16);
+- if (ptr->nb_entries > UINT_MAX / 6)
++ if (ptr->nb_entries > ptr->size / 6 || (u64)ptr->nb_entries > (u64)SIZE_MAX/sizeof(FilePartitionEntry))
+ return GF_ISOM_INVALID_FILE;
+
+ ISOM_DECREASE_SIZE(ptr, ptr->nb_entries * 6 );
+@@ -10454,6 +10471,11 @@ GF_Err fecr_box_read(GF_Box *s, GF_BitSt
+ ISOM_DECREASE_SIZE(ptr, (ptr->version ? 4 : 2) );
+ ptr->nb_entries = gf_bs_read_int(bs, ptr->version ? 32 : 16);
+
++ if (ptr->nb_entries > ptr->size / (ptr->version ? 8 : 6) || (u64)ptr->nb_entries > (u64)SIZE_MAX/sizeof(FECReservoirEntry) ) {
++ GF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, ("[iso file] Invalid number of entries %d in fecr\n", ptr->nb_entries));
++ return GF_ISOM_INVALID_FILE;
++ }
++
+ ISOM_DECREASE_SIZE(ptr, ptr->nb_entries * (ptr->version ? 8 : 6) );
+ GF_SAFE_ALLOC_N(ptr->entries, ptr->nb_entries, FECReservoirEntry);
+ if (!ptr->entries) return GF_OUT_OF_MEM;
--- /dev/null
+Backport of https://github.com/gpac/gpac/commit/8cd33e8977fd5f4215e4b67c309fd403762bfeb7
+
+https://talosintelligence.com/vulnerability_reports/TALOS-2021-1298
+
+--- gpac-1.0.1+dfsg1.orig/src/isomedia/box_code_base.c
++++ gpac-1.0.1+dfsg1/src/isomedia/box_code_base.c
+@@ -1653,17 +1653,23 @@ GF_Err hdlr_box_read(GF_Box *s, GF_BitSt
+ gf_bs_set_cookie(bs, cookie);
+
+ if (ptr->size) {
+- ptr->nameUTF8 = (char*)gf_malloc((u32) ptr->size);
++ u32 name_size = (u32) ptr->size;
++ if (name_size < 1) {
++ GF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, ("[iso file] Invalid size %llu in hdlr\n", ptr->size));
++ return GF_ISOM_INVALID_FILE;
++ }
++ ptr->nameUTF8 = (char*)gf_malloc(name_size);
+ if (!ptr->nameUTF8) return GF_OUT_OF_MEM;
+- gf_bs_read_data(bs, ptr->nameUTF8, (u32) ptr->size);
++ gf_bs_read_data(bs, ptr->nameUTF8, name_size);
+
+ //patch for old QT files - we cannot rely on checking if str[0]==len(str+1) since we may have
+ //cases where the first character of the string decimal value is indeed the same as the string length!!
+ //we had this issue with encryption_import test
+ //we therefore only check if last char is null, and if not so assume old QT style
+- if (ptr->nameUTF8[ptr->size-1]) {
+- memmove(ptr->nameUTF8, ptr->nameUTF8+1, sizeof(char) * (u32) (ptr->size-1) );
+- ptr->nameUTF8[ptr->size-1] = 0;
++ if (ptr->nameUTF8[name_size-1]) {
++ if (name_size > 1)
++ memmove(ptr->nameUTF8, ptr->nameUTF8+1, sizeof(char) * (u32) (name_size-1) );
++ ptr->nameUTF8[name_size-1] = 0;
+ ptr->store_counted_string = GF_TRUE;
+ }
+ }
+@@ -6687,6 +6693,10 @@ GF_Err stri_box_read(GF_Box *s, GF_BitSt
+ ptr->alternate_group = gf_bs_read_u16(bs);
+ ptr->sub_track_id = gf_bs_read_u32(bs);
+ ptr->attribute_count = ptr->size / 4;
++ if ((u64)ptr->attribute_count > (u64)SIZE_MAX/sizeof(u32)) {
++ GF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, ("[iso file] Invalid size %llu in stri\n", ptr->size));
++ return GF_ISOM_INVALID_FILE;
++ }
+ GF_SAFE_ALLOC_N(ptr->attribute_list, (size_t)ptr->attribute_count, u32);
+ if (!ptr->attribute_list) return GF_OUT_OF_MEM;
+ for (i = 0; i < ptr->attribute_count; i++) {
+@@ -10972,6 +10982,10 @@ GF_Err trik_box_read(GF_Box *s,GF_BitStr
+ u32 i;
+ GF_TrickPlayBox *ptr = (GF_TrickPlayBox *) s;
+ ptr->entry_count = (u32) ptr->size;
++ if ((u64)ptr->entry_count > (u64)SIZE_MAX/sizeof(GF_TrickPlayBoxEntry)) {
++ GF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, ("[iso file] Invalid size %llu in trik\n", ptr->size));
++ return GF_ISOM_INVALID_FILE;
++ }
+ ptr->entries = (GF_TrickPlayBoxEntry *) gf_malloc(ptr->entry_count * sizeof(GF_TrickPlayBoxEntry) );
+ if (!ptr->entries) return GF_OUT_OF_MEM;
+
--- /dev/null
+Backport of https://github.com/gpac/gpac/commit/bbd741e0e5a6e7e1e90a73c350acc061dde9450b
+
+NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2021-1299
+
+--- gpac-1.0.1+dfsg1.orig/src/isomedia/box_code_base.c
++++ gpac-1.0.1+dfsg1/src/isomedia/box_code_base.c
+@@ -577,10 +577,15 @@ GF_Err url_box_read(GF_Box *s, GF_BitStr
+ GF_DataEntryURLBox *ptr = (GF_DataEntryURLBox *)s;
+
+ if (ptr->size) {
+- ptr->location = (char*)gf_malloc((u32) ptr->size);
++ u32 location_size = (u32) ptr->size;
++ if (location_size < 1) {
++ GF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, ("[iso file] Invalid size %llu in svhd box\n", ptr->size));
++ return GF_ISOM_INVALID_FILE;
++ }
++ ptr->location = (char*)gf_malloc(location_size);
+ if (! ptr->location) return GF_OUT_OF_MEM;
+- gf_bs_read_data(bs, ptr->location, (u32)ptr->size);
+- if (ptr->location[ptr->size-1]) {
++ gf_bs_read_data(bs, ptr->location, location_size);
++ if (ptr->location[location_size-1]) {
+ GF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, ("[iso file] url box location is not 0-terminated\n" ));
+ return GF_ISOM_INVALID_FILE;
+ }
+@@ -1894,6 +1899,12 @@ GF_Err sdp_box_read(GF_Box *s, GF_BitStr
+ if (ptr == NULL) return GF_BAD_PARAM;
+
+ length = (u32) (ptr->size);
++
++ if (length >= (u32)0xFFFFFFFF) {
++ GF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, ("[iso file] Invalid length %lu in sdp box\n", length));
++ return GF_ISOM_INVALID_FILE;
++ }
++
+ //sdp text has no delimiter !!!
+ ptr->sdpText = (char*)gf_malloc(sizeof(char) * (length+1));
+ if (!ptr->sdpText) return GF_OUT_OF_MEM;
+@@ -1951,6 +1962,12 @@ GF_Err rtp_hnti_box_read(GF_Box *s, GF_B
+ ptr->subType = gf_bs_read_u32(bs);
+
+ length = (u32) (ptr->size);
++
++ if (length >= (u32)0xFFFFFFFF) {
++ GF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, ("[iso file] Invalid length %lu in rtp_hnti box\n", length));
++ return GF_ISOM_INVALID_FILE;
++ }
++
+ //sdp text has no delimiter !!!
+ ptr->sdpText = (char*)gf_malloc(sizeof(char) * (length+1));
+ if (!ptr->sdpText) return GF_OUT_OF_MEM;
+@@ -2614,6 +2631,12 @@ GF_Err name_box_read(GF_Box *s, GF_BitSt
+ GF_NameBox *ptr = (GF_NameBox *)s;
+
+ length = (u32) (ptr->size);
++
++ if (length >= (u32)0xFFFFFFFF) {
++ GF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, ("[iso file] Invalid length %lu in name box\n", length));
++ return GF_ISOM_INVALID_FILE;
++ }
++
+ ptr->string = (char*)gf_malloc(sizeof(char) * (length+1));
+ if (! ptr->string) return GF_OUT_OF_MEM;
+
+@@ -8437,6 +8460,10 @@ void txtc_box_del(GF_Box *s)
+ GF_Err txtc_box_read(GF_Box *s, GF_BitStream *bs)
+ {
+ GF_TextConfigBox *ptr = (GF_TextConfigBox*)s;
++ if ((u32)ptr->size >= (u32)0xFFFFFFFF) {
++ GF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, ("[iso file] Invalid size %llu in txtc box\n", ptr->size));
++ return GF_ISOM_INVALID_FILE;
++ }
+ ptr->config = (char *)gf_malloc(sizeof(char)*((u32) ptr->size+1));
+ if (!ptr->config) return GF_OUT_OF_MEM;
+ gf_bs_read_data(bs, ptr->config, (u32) ptr->size);
projects / gpac.git / commitdiff