+++ /dev/null
-From b15020f54aff24aaeb64b80771472be8e64a7adc Mon Sep 17 00:00:00 2001
-From: jeanlf <jeanlf@gpac.io>
-Date: Mon, 4 Jan 2021 11:24:26 +0100
-Subject: [PATCH] fixed #1662
-
----
- src/media_tools/isom_hinter.c | 8 ++++++--
- 1 file changed, 6 insertions(+), 2 deletions(-)
-
-diff --git a/src/media_tools/isom_hinter.c b/src/media_tools/isom_hinter.c
-index 8af1d04b7f..2d05934f6d 100644
---- a/src/media_tools/isom_hinter.c
-+++ b/src/media_tools/isom_hinter.c
-@@ -793,8 +793,12 @@ GF_Err gf_hinter_track_process(GF_RTPHinter *tkHint)
- }
- remain -= size;
- tkHint->rtp_p->sl_header.accessUnitEndFlag = remain ? 0 : 1;
-- e = gf_rtp_builder_process(tkHint->rtp_p, ptr, size, (u8) !remain, samp->dataLength, duration, (u8) (descIndex + GF_RTP_TX3G_SIDX_OFFSET) );
-- ptr += size;
-+ if (!size) {
-+ GF_LOG(GF_LOG_WARNING, GF_LOG_RTP, ("[rtp hinter] Broken AVC nalu encapsulation: NALU size is 0, ignoring it\n", size));
-+ } else {
-+ e = gf_rtp_builder_process(tkHint->rtp_p, ptr, size, (u8) !remain, samp->dataLength, duration, (u8) (descIndex + GF_RTP_TX3G_SIDX_OFFSET) );
-+ ptr += size;
-+ }
- tkHint->rtp_p->sl_header.accessUnitStartFlag = 0;
- }
- } else {
+++ /dev/null
-From dae9900580a8888969481cd72035408091edb11b Mon Sep 17 00:00:00 2001
-From: jeanlf <jeanlf@gpac.io>
-Date: Mon, 4 Jan 2021 11:06:52 +0100
-Subject: [PATCH] fixed #1659
-
----
- src/isomedia/isom_store.c | 6 ++++++
- 1 file changed, 6 insertions(+)
-
-diff --git a/src/isomedia/isom_store.c b/src/isomedia/isom_store.c
-index 37dfbe55a9..ee2b2cfaf2 100644
---- a/src/isomedia/isom_store.c
-+++ b/src/isomedia/isom_store.c
-@@ -150,8 +150,14 @@ GF_Err SetupWriters(MovieWriter *mw, GF_List *writers, u8 interleaving)
-
- trackCount = gf_list_count(movie->moov->trackList);
- for (i = 0; i < trackCount; i++) {
-+ GF_SampleTableBox *stbl;
- trak = gf_isom_get_track(movie->moov, i+1);
-
-+ stbl = (trak->Media && trak->Media->information) ? trak->Media->information->sampleTable : NULL;
-+ if (!stbl || !stbl->SampleSize || !stbl->ChunkOffset || !stbl->SampleToChunk) {
-+ return GF_ISOM_INVALID_FILE;
-+ }
-+
- GF_SAFEALLOC(writer, TrackWriter);
- if (!writer) goto exit;
- writer->sampleNumber = 1;
+++ /dev/null
-From a4eb327049132359cae54b59faec9e2f14c5a619 Mon Sep 17 00:00:00 2001
-From: jeanlf <jeanlf@gpac.io>
-Date: Mon, 4 Jan 2021 11:10:48 +0100
-Subject: [PATCH] fixed #1660
-
----
- src/media_tools/isom_hinter.c | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/src/media_tools/isom_hinter.c b/src/media_tools/isom_hinter.c
-index 5bf89cb5ca..8af1d04b7f 100644
---- a/src/media_tools/isom_hinter.c
-+++ b/src/media_tools/isom_hinter.c
-@@ -967,6 +967,8 @@ GF_Err gf_hinter_track_finalize(GF_RTPHinter *tkHint, Bool AddSystemInfo)
- if (avcc) {
- sprintf(sdpLine, "a=fmtp:%d profile-level-id=%02X%02X%02X; packetization-mode=1", tkHint->rtp_p->PayloadType, avcc->AVCProfileIndication, avcc->profile_compatibility, avcc->AVCLevelIndication);
- } else {
-+ if (!svcc)
-+ return GF_ISOM_INVALID_FILE;
- sprintf(sdpLine, "a=fmtp:%d profile-level-id=%02X%02X%02X; packetization-mode=1", tkHint->rtp_p->PayloadType, svcc->AVCProfileIndication, svcc->profile_compatibility, svcc->AVCLevelIndication);
- }
-
+++ /dev/null
-From c4a5109dad73abe25ad12d8d529a728ae98d78ca Mon Sep 17 00:00:00 2001
-From: jeanlf <jeanlf@gpac.io>
-Date: Thu, 11 Mar 2021 15:28:56 +0100
-Subject: [PATCH] fixed #1702
-
----
- src/isomedia/track.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
---- gpac-1.0.1+dfsg1.orig/src/isomedia/track.c
-+++ gpac-1.0.1+dfsg1/src/isomedia/track.c
-@@ -1019,7 +1019,7 @@ GF_Err MergeTrack(GF_TrackBox *trak, GF_
- break;
- }
- }
-- if (saiz && saio) {
-+ if (saiz && saio && senc) {
- for (i = 0; i < saiz->sample_count; i++) {
- GF_CENCSampleAuxInfo *sai;
-
+++ /dev/null
-From da69ad1f970a7e17c865eaec9af98cc84df10d5b Mon Sep 17 00:00:00 2001
-From: jeanlf <jeanlf@gpac.io>
-Date: Mon, 29 Mar 2021 09:17:40 +0200
-Subject: [PATCH] fixed 1718
-
----
- src/filters/reframe_flac.c | 19 ++++++++++++++++++-
- 1 file changed, 18 insertions(+), 1 deletion(-)
-
---- gpac-1.0.1+dfsg1.orig/src/filters/reframe_flac.c
-+++ gpac-1.0.1+dfsg1/src/filters/reframe_flac.c
-@@ -59,6 +59,7 @@ typedef struct
- Bool is_playing;
- Bool is_file;
- Bool initial_play_done, file_loaded;
-+ Bool in_error;
-
- Bool initialized;
- u32 sample_rate, nb_channels, bits_per_sample, block_size;
-@@ -378,6 +379,9 @@ GF_Err flac_dmx_process(GF_Filter *filte
- u64 cts = GF_FILTER_NO_TS;
- FLACHeader hdr;
-
-+ if (ctx->in_error)
-+ return GF_NON_COMPLIANT_BITSTREAM;
-+
- //always reparse duration
- if (!ctx->duration.num)
- flac_dmx_check_dur(filter, ctx);
-@@ -484,7 +488,12 @@ GF_Err flac_dmx_process(GF_Filter *filte
- gf_bs_reassign_buffer(ctx->bs, ctx->flac_buffer, size);
- u32 magic = gf_bs_read_u32(ctx->bs);
- if (magic != GF_4CC('f','L','a','C')) {
--
-+ GF_LOG(GF_LOG_ERROR, GF_LOG_PARSER, ("[FLACDmx] invalid FLAC magic\n"));
-+ ctx->in_error = GF_TRUE;
-+ ctx->flac_buffer_size = 0;
-+ if (pck)
-+ gf_filter_pid_drop_packet(ctx->ipid);
-+ return GF_NON_COMPLIANT_BITSTREAM;
- }
- while (gf_bs_available(ctx->bs)) {
- Bool last = gf_bs_read_int(ctx->bs, 1);
-@@ -514,6 +523,14 @@ GF_Err flac_dmx_process(GF_Filter *filte
- }
- if (last) break;
- }
-+ if (!dsi_end) {
-+ GF_LOG(GF_LOG_ERROR, GF_LOG_PARSER, ("[FLACDmx] invalid FLAC header\n"));
-+ ctx->in_error = GF_TRUE;
-+ ctx->flac_buffer_size = 0;
-+ if (pck)
-+ gf_filter_pid_drop_packet(ctx->ipid);
-+ return GF_NON_COMPLIANT_BITSTREAM;
-+ }
- flac_dmx_check_pid(filter, ctx, ctx->flac_buffer+4, dsi_end-4);
- remain -= size;
- start += size;
+++ /dev/null
-Backport of
-
-From 51cdb67ff7c5f1242ac58c5aa603ceaf1793b788 Mon Sep 17 00:00:00 2001
-From: jeanlf <jeanlf@gpac.io>
-Date: Mon, 29 Mar 2021 09:34:02 +0200
-Subject: [PATCH] add safety in avc/hevc/vvc sps/pps/vps ID check - cf #1720
- #1721 #1722
-
---- gpac-1.0.1+dfsg1.orig/src/media_tools/av_parsers.c
-+++ gpac-1.0.1+dfsg1/src/media_tools/av_parsers.c
-@@ -5012,10 +5012,7 @@ static s32 gf_media_avc_read_sps_bs_inte
- by subset SPS. According to the SVC standard, subset SPS can have the same sps_id
- than its base layer, but it does not refer to the same SPS. */
- sps_id = gf_bs_get_ue(bs) + GF_SVC_SSPS_ID_SHIFT * subseq_sps;
-- if (sps_id >= 32) {
-- return -1;
-- }
-- if (sps_id < 0) {
-+ if ((sps_id < 0) || (sps_id >= 32)) {
- return -1;
- }
-
-@@ -5342,7 +5339,7 @@ static s32 gf_media_avc_read_pps_bs_inte
- /*nal_hdr = */gf_bs_read_u8(bs);
- }
- pps_id = gf_bs_get_ue(bs);
-- if (pps_id >= 255) {
-+ if ((pps_id<0) || (pps_id >= 255)) {
- return -1;
- }
- pps = &avc->pps[pps_id];
-@@ -5350,7 +5347,7 @@ static s32 gf_media_avc_read_pps_bs_inte
-
- if (!pps->status) pps->status = 1;
- pps->sps_id = gf_bs_get_ue(bs);
-- if (pps->sps_id >= 32) {
-+ if ((pps->sps_id<0) || (pps->sps_id >= 32)) {
- pps->sps_id = 0;
- return -1;
- }
-@@ -6595,7 +6592,7 @@ s32 hevc_parse_slice_segment(GF_BitStrea
- }
-
- pps_id = gf_bs_get_ue(bs);
-- if (pps_id >= 64)
-+ if ((pps_id<0) || (pps_id >= 64))
- return -1;
-
- pps = &hevc->pps[pps_id];
-@@ -7409,7 +7406,7 @@ static s32 gf_media_hevc_read_vps_bs_int
- //nalu header already parsed
- vps_id = gf_bs_read_int(bs, 4);
-
-- if (vps_id >= 16) return -1;
-+ if ((vps_id<0) || (vps_id >= 16)) return -1;
-
- vps = &hevc->vps[vps_id];
- vps->bit_pos_vps_extensions = -1;
-@@ -7637,7 +7634,7 @@ static s32 gf_media_hevc_read_sps_bs_int
-
- //nalu header already parsed
- vps_id = gf_bs_read_int(bs, 4);
-- if (vps_id >= 16) {
-+ if ((vps_id<0) || (vps_id >= 16)) {
- return -1;
- }
- memset(&ptl, 0, sizeof(ptl));
+++ /dev/null
-From 13dad7d5ef74ca2e6fe4010f5b03eb12e9bbe0ec Mon Sep 17 00:00:00 2001
-From: jeanlf <jeanlf@gpac.io>
-Date: Mon, 29 Mar 2021 09:21:51 +0200
-Subject: [PATCH] fixed #1719
-
----
- src/filters/reframe_av1.c | 3 +++
- 1 file changed, 3 insertions(+)
-
---- gpac-1.0.1+dfsg1.orig/src/filters/reframe_av1.c
-+++ gpac-1.0.1+dfsg1/src/filters/reframe_av1.c
-@@ -718,6 +718,9 @@ static GF_Err av1dmx_parse_flush_sample(
- GF_FilterPacket *pck;
- u8 *output;
-
-+ if (!ctx->opid)
-+ return GF_NON_COMPLIANT_BITSTREAM;
-+
- gf_bs_get_content_no_truncate(ctx->state.bs, &ctx->state.frame_obus, &pck_size, &ctx->state.frame_obus_alloc);
-
- if (!pck_size) {
+++ /dev/null
-From 13dad7d5ef74ca2e6fe4010f5b03eb12e9bbe0ec Mon Sep 17 00:00:00 2001
-From: jeanlf <jeanlf@gpac.io>
-Date: Mon, 29 Mar 2021 09:21:51 +0200
-Subject: [PATCH] fixed #1719
-
----
- src/filters/reframe_av1.c | 3 +++
- 1 file changed, 3 insertions(+)
-
---- gpac-1.0.1+dfsg1.orig/src/filters/reframe_adts.c
-+++ gpac-1.0.1+dfsg1/src/filters/reframe_adts.c
-@@ -683,6 +683,12 @@ GF_Err adts_dmx_process(GF_Filter *filte
- break;
- }
-
-+ if (ctx->hdr.frame_size < ctx->hdr.hdr_size) {
-+ GF_LOG(GF_LOG_WARNING, GF_LOG_PARSER, ("[ADTSDmx] Corrupted ADTS frame header, resyncing\n"));
-+ ctx->nb_frames = 0;
-+ goto drop_byte;
-+ }
-+
- adts_dmx_check_pid(filter, ctx);
-
- if (!ctx->is_playing) {
+++ /dev/null
-From b2db2f99b4c30f96e17b9a14537c776da6cb5dca Mon Sep 17 00:00:00 2001
-From: jeanlf <jeanlf@gpac.io>
-Date: Thu, 8 Apr 2021 09:29:42 +0200
-Subject: [PATCH] fixed #1728
-
----
- src/filters/reframe_latm.c | 8 ++++----
- 1 file changed, 4 insertions(+), 4 deletions(-)
-
---- gpac-1.0.1+dfsg1.orig/src/filters/reframe_latm.c
-+++ gpac-1.0.1+dfsg1/src/filters/reframe_latm.c
-@@ -424,8 +424,8 @@ GF_Err latm_dmx_process(GF_Filter *filte
- GF_LATMDmxCtx *ctx = gf_filter_get_udta(filter);
- GF_FilterPacket *pck, *dst_pck;
- u32 pos;
-- u8 *data, *output;
-- u32 pck_size, prev_pck_size;
-+ u8 *data=NULL, *output;
-+ u32 pck_size=0, prev_pck_size;
- u64 cts = GF_FILTER_NO_TS;
-
- //always reparse duration
-@@ -448,10 +448,10 @@ GF_Err latm_dmx_process(GF_Filter *filte
- } else {
- return GF_OK;
- }
-+ } else {
-+ data = (char *) gf_filter_pck_get_data(pck, &pck_size);
- }
-
-- data = (char *) gf_filter_pck_get_data(pck, &pck_size);
--
- //input pid sets some timescale - we flushed pending data , update cts
- if (ctx->timescale && pck) {
- cts = gf_filter_pck_get_cts(pck);
+++ /dev/null
-From 758135e91e623d7dfe7f6aaad7aeb3f791b7a4e5 Mon Sep 17 00:00:00 2001
-From: jeanlf <jeanlf@gpac.io>
-Date: Thu, 8 Apr 2021 10:07:35 +0200
-Subject: [PATCH] fixed #1733
-
----
- src/isomedia/box_code_adobe.c | 35 ++++++++++++++++++++++++++++++-----
- 1 file changed, 30 insertions(+), 5 deletions(-)
-
-diff --git a/src/isomedia/box_code_adobe.c b/src/isomedia/box_code_adobe.c
-index ab5115f25a..711d84bf0d 100644
---- a/src/isomedia/box_code_adobe.c
-+++ b/src/isomedia/box_code_adobe.c
-@@ -79,6 +79,7 @@ GF_Err abst_box_read(GF_Box *s, GF_BitStream *bs)
- int i;
- u32 tmp_strsize;
- char *tmp_str;
-+ Bool zfound=GF_FALSE;
- GF_Err e;
-
- ISOM_DECREASE_SIZE(ptr, 25)
-@@ -102,10 +103,14 @@ GF_Err abst_box_read(GF_Box *s, GF_BitStream *bs)
- ISOM_DECREASE_SIZE(ptr, 1)
- tmp_str[i] = gf_bs_read_u8(bs);
- tmp_strsize--;
-- if (!tmp_str[i])
-+ if (!tmp_str[i]) {
-+ zfound = GF_TRUE;
- break;
-+ }
- i++;
- }
-+ if (!zfound)
-+ return GF_ISOM_INVALID_FILE;
- if (i) {
- ptr->movie_identifier = gf_strdup(tmp_str);
- }
-@@ -114,15 +119,20 @@ GF_Err abst_box_read(GF_Box *s, GF_BitStream *bs)
- ptr->server_entry_count = gf_bs_read_u8(bs);
- for (i=0; i<ptr->server_entry_count; i++) {
- int j=0;
-+ zfound = GF_FALSE;
- tmp_strsize=(u32)ptr->size;
- while (tmp_strsize) {
- ISOM_DECREASE_SIZE(ptr, 1)
- tmp_str[j] = gf_bs_read_u8(bs);
- tmp_strsize--;
-- if (!tmp_str[j])
-+ if (!tmp_str[j]) {
-+ zfound = GF_TRUE;
- break;
-+ }
- j++;
- }
-+ if (!zfound)
-+ return GF_ISOM_INVALID_FILE;
- if (j) {
- gf_list_insert(ptr->server_entry_table, gf_strdup(tmp_str), i);
- }
-@@ -132,16 +142,21 @@ GF_Err abst_box_read(GF_Box *s, GF_BitStream *bs)
- ptr->quality_entry_count = gf_bs_read_u8(bs);
- for (i=0; i<ptr->quality_entry_count; i++) {
- int j=0;
-+ zfound = GF_FALSE;
- tmp_strsize=(u32)ptr->size;
- while (tmp_strsize) {
- ISOM_DECREASE_SIZE(ptr, 1)
- tmp_str[j] = gf_bs_read_u8(bs);
- tmp_strsize--;
-- if (!tmp_str[j])
-+ if (!tmp_str[j]) {
-+ zfound = GF_TRUE;
- break;
-+ }
- j++;
- }
-
-+ if (!zfound)
-+ return GF_ISOM_INVALID_FILE;
- if (j) {
- gf_list_insert(ptr->quality_entry_table, gf_strdup(tmp_str), i);
- }
-@@ -149,28 +164,38 @@ GF_Err abst_box_read(GF_Box *s, GF_BitStream *bs)
-
- i=0;
- tmp_strsize=(u32)ptr->size;
-+ zfound = GF_FALSE;
- while (tmp_strsize) {
- ISOM_DECREASE_SIZE(ptr, 1)
- tmp_str[i] = gf_bs_read_u8(bs);
- tmp_strsize--;
-- if (!tmp_str[i])
-+ if (!tmp_str[i]) {
-+ zfound = GF_TRUE;
- break;
-+ }
- i++;
- }
-+ if (!zfound)
-+ return GF_ISOM_INVALID_FILE;
- if (i) {
- ptr->drm_data = gf_strdup(tmp_str);
- }
-
- i=0;
- tmp_strsize=(u32)ptr->size;
-+ zfound = GF_FALSE;
- while (tmp_strsize) {
- ISOM_DECREASE_SIZE(ptr, 1)
- tmp_str[i] = gf_bs_read_u8(bs);
- tmp_strsize--;
-- if (!tmp_str[i])
-+ if (!tmp_str[i]) {
-+ zfound = GF_TRUE;
- break;
-+ }
- i++;
- }
-+ if (!zfound)
-+ return GF_ISOM_INVALID_FILE;
- if (i) {
- ptr->meta_data = gf_strdup(tmp_str);
- }
+++ /dev/null
-From 2da2f68bffd51d89b1d272d22aa8cc023c1c066e Mon Sep 17 00:00:00 2001
-From: jeanlf <jeanlf@gpac.io>
-Date: Fri, 12 Mar 2021 11:46:56 +0100
-Subject: [PATCH] fixed #1705
-
----
- src/isomedia/stbl_read.c | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/src/isomedia/stbl_read.c b/src/isomedia/stbl_read.c
-index ebfbe62abe..384d4f7827 100644
---- a/src/isomedia/stbl_read.c
-+++ b/src/isomedia/stbl_read.c
-@@ -419,11 +419,13 @@ GF_Err stbl_GetSampleInfos(GF_SampleTableBox *stbl, u32 sampleNumber, u64 *offse
- if ( stbl->ChunkOffset->type == GF_ISOM_BOX_TYPE_STCO) {
- stco = (GF_ChunkOffsetBox *)stbl->ChunkOffset;
- if (!stco->offsets) return GF_ISOM_INVALID_FILE;
-+ if (stco->nb_entries < sampleNumber) return GF_ISOM_INVALID_FILE;
-
- (*offset) = (u64) stco->offsets[sampleNumber - 1];
- } else {
- co64 = (GF_ChunkLargeOffsetBox *)stbl->ChunkOffset;
- if (!co64->offsets) return GF_ISOM_INVALID_FILE;
-+ if (co64->nb_entries < sampleNumber) return GF_ISOM_INVALID_FILE;
-
- (*offset) = co64->offsets[sampleNumber - 1];
- }
+++ /dev/null
-From 87afe070cd6866df7fe80f11b26ef75161de85e0 Mon Sep 17 00:00:00 2001
-From: jeanlf <jeanlf@gpac.io>
-Date: Thu, 8 Apr 2021 10:09:46 +0200
-Subject: [PATCH] fixed #1734
-
----
- applications/mp4box/main.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
---- gpac-1.0.1+dfsg1.orig/applications/mp4box/main.c
-+++ gpac-1.0.1+dfsg1/applications/mp4box/main.c
-@@ -1296,7 +1296,7 @@ GF_Err HintFile(GF_ISOFile *file, u32 MT
-
- streamType = 0;
- esd = gf_isom_get_esd(file, i+1, 1);
-- if (esd) {
-+ if (esd && esd->decoderConfig) {
- streamType = esd->decoderConfig->streamType;
- if (!prev_ocr) {
- prev_ocr = esd->OCRESID;
+++ /dev/null
-From ebfa346eff05049718f7b80041093b4c5581c24e Mon Sep 17 00:00:00 2001
-From: jeanlf <jeanlf@gpac.io>
-Date: Fri, 12 Mar 2021 11:56:53 +0100
-Subject: [PATCH] fixed #1706
-
----
- src/isomedia/isom_read.c | 1 +
- src/isomedia/isom_write.c | 13 ++++++++++---
- src/media_tools/isom_hinter.c | 6 +++++-
- 3 files changed, 16 insertions(+), 4 deletions(-)
-
---- gpac-1.0.1+dfsg1.orig/src/isomedia/isom_read.c
-+++ gpac-1.0.1+dfsg1/src/isomedia/isom_read.c
-@@ -3802,6 +3802,7 @@ u32 gf_isom_guess_specification(GF_ISOFi
- case GF_ISOM_SUBTYPE_MPEG4_CRYP:
- {
- GF_DecoderConfig *dcd = gf_isom_get_decoder_config(file, i+1, 1);
-+ if (!dcd) break;
- switch (dcd->streamType) {
- case GF_STREAM_VISUAL:
- if (dcd->objectTypeIndication==GF_CODECID_MPEG4_PART2) nb_m4v++;
---- gpac-1.0.1+dfsg1.orig/src/isomedia/isom_write.c
-+++ gpac-1.0.1+dfsg1/src/isomedia/isom_write.c
-@@ -5224,6 +5224,7 @@ GF_Err gf_isom_set_extraction_slc(GF_ISO
- GF_SampleEntryBox *entry;
- GF_Err e;
- GF_SLConfig **slc;
-+ GF_ESDBox *esds;
-
- trak = gf_isom_get_track_from_file(the_file, trackNumber);
- if (!trak) return GF_BAD_PARAM;
-@@ -5234,15 +5235,21 @@ GF_Err gf_isom_set_extraction_slc(GF_ISO
- //we must be sure we are not using a remote ESD
- switch (entry->type) {
- case GF_ISOM_BOX_TYPE_MP4S:
-- if (((GF_MPEGSampleEntryBox *)entry)->esd->desc->slConfig->predefined != SLPredef_MP4) return GF_BAD_PARAM;
-+ esds = ((GF_MPEGSampleEntryBox *)entry)->esd;
-+ if (!esds || !esds->desc || !esds->desc->slConfig || (esds->desc->slConfig->predefined != SLPredef_MP4))
-+ return GF_ISOM_INVALID_FILE;
- slc = & ((GF_MPEGSampleEntryBox *)entry)->slc;
- break;
- case GF_ISOM_BOX_TYPE_MP4A:
-- if (((GF_MPEGAudioSampleEntryBox *)entry)->esd->desc->slConfig->predefined != SLPredef_MP4) return GF_BAD_PARAM;
-+ esds = ((GF_MPEGAudioSampleEntryBox *)entry)->esd;
-+ if (!esds || !esds->desc || !esds->desc->slConfig || (esds->desc->slConfig->predefined != SLPredef_MP4))
-+ return GF_ISOM_INVALID_FILE;
- slc = & ((GF_MPEGAudioSampleEntryBox *)entry)->slc;
- break;
- case GF_ISOM_BOX_TYPE_MP4V:
-- if (((GF_MPEGVisualSampleEntryBox *)entry)->esd->desc->slConfig->predefined != SLPredef_MP4) return GF_BAD_PARAM;
-+ esds = ((GF_MPEGVisualSampleEntryBox *)entry)->esd;
-+ if (!esds || !esds->desc || !esds->desc->slConfig || (esds->desc->slConfig->predefined != SLPredef_MP4))
-+ return GF_ISOM_INVALID_FILE;
- slc = & ((GF_MPEGVisualSampleEntryBox *)entry)->slc;
- break;
- default:
---- gpac-1.0.1+dfsg1.orig/src/media_tools/isom_hinter.c
-+++ gpac-1.0.1+dfsg1/src/media_tools/isom_hinter.c
-@@ -641,7 +641,11 @@ GF_RTPHinter *gf_hinter_track_new(GF_ISO
- if (hintType==GF_RTP_PAYT_MPEG4) {
- tmp->rtp_p->slMap.CodecID = codecid;
- /*set this SL for extraction.*/
-- gf_isom_set_extraction_slc(file, TrackNum, 1, &my_sl);
-+ *e = gf_isom_set_extraction_slc(file, TrackNum, 1, &my_sl);
-+ if (*e) {
-+ gf_hinter_track_del(tmp);
-+ return NULL;
-+ }
- }
- tmp->bandwidth = bandwidth;
-
+++ /dev/null
-From df8fffd839fe5ae9acd82d26fd48280a397411d9 Mon Sep 17 00:00:00 2001
-From: jeanlf <jeanlf@gpac.io>
-Date: Thu, 8 Apr 2021 10:21:26 +0200
-Subject: [PATCH] fixed #1736
-
----
- src/isomedia/track.c | 10 +++++++---
- 1 file changed, 7 insertions(+), 3 deletions(-)
-
---- gpac-1.0.1+dfsg1.orig/src/isomedia/track.c
-+++ gpac-1.0.1+dfsg1/src/isomedia/track.c
-@@ -1003,10 +1003,13 @@ GF_Err MergeTrack(GF_TrackBox *trak, GF_
- if ((aux_info_type == GF_ISOM_CENC_SCHEME) || (aux_info_type == GF_ISOM_CBC_SCHEME) ||
- (aux_info_type == GF_ISOM_CENS_SCHEME) || (aux_info_type == GF_ISOM_CBCS_SCHEME) ||
- (gf_list_count(traf->sai_offsets) == 1)) {
-- offset = saio->offsets[0] + moof_offset;
-- nb_saio = saio->entry_count;
-- break;
-+ if (saio->offsets && saio->entry_count) {
-+ offset = saio->offsets[0] + moof_offset;
-+ nb_saio = saio->entry_count;
-+ break;
-+ }
- }
-+ saio = NULL;
- }
- for (i = 0; i < gf_list_count(traf->sai_sizes); i++) {
- saiz = (GF_SampleAuxiliaryInfoSizeBox *)gf_list_get(traf->sai_sizes, i);
-@@ -1018,6 +1021,7 @@ GF_Err MergeTrack(GF_TrackBox *trak, GF_
- (gf_list_count(traf->sai_sizes) == 1)) {
- break;
- }
-+ saiz = NULL;
- }
- if (saiz && saio && senc) {
- for (i = 0; i < saiz->sample_count; i++) {
+++ /dev/null
-From cd3738dea038dbd12e603ad48cd7373ae0440f65 Mon Sep 17 00:00:00 2001
-From: jeanlf <jeanlf@gpac.io>
-Date: Fri, 9 Apr 2021 11:12:47 +0200
-Subject: [PATCH] fixed #1737
-
----
- src/media_tools/isom_hinter.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/src/media_tools/isom_hinter.c b/src/media_tools/isom_hinter.c
-index 6aeb9d172..6c4da454a 100644
---- a/src/media_tools/isom_hinter.c
-+++ b/src/media_tools/isom_hinter.c
-@@ -402,8 +402,9 @@ GF_RTPHinter *gf_hinter_track_new(GF_ISOFile *file, u32 TrackNum,
- else if (gf_isom_has_sync_shadows(file, TrackNum) || gf_isom_has_sample_dependency(file, TrackNum)) {
- flags |= GP_RTP_PCK_SYSTEMS_CAROUSEL;
- }
-- gf_odf_desc_del((GF_Descriptor*)esd);
- }
-+ if (esd)
-+ gf_odf_desc_del((GF_Descriptor*)esd);
- break;
- case GF_ISOM_SUBTYPE_3GP_H263:
- hintType = GF_RTP_PAYT_H263;
+++ /dev/null
-From b2eab95e07cb5819375a50358d4806a8813b6e50 Mon Sep 17 00:00:00 2001
-From: jeanlf <jeanlf@gpac.io>
-Date: Fri, 9 Apr 2021 11:17:40 +0200
-Subject: [PATCH] fixed #1738
-
----
- src/isomedia/avc_ext.c | 7 ++++---
- 1 file changed, 4 insertions(+), 3 deletions(-)
-
---- gpac-1.0.1+dfsg1.orig/src/isomedia/avc_ext.c
-+++ gpac-1.0.1+dfsg1/src/isomedia/avc_ext.c
-@@ -1330,7 +1330,8 @@ static GF_Err gf_isom_check_mvc(GF_ISOFi
- return GF_OK;
- }
-
--static GF_AV1Config* AV1_DuplicateConfig(GF_AV1Config const * const cfg) {
-+static GF_AV1Config* AV1_DuplicateConfig(GF_AV1Config const * const cfg)
-+{
- u32 i = 0;
- GF_AV1Config *out = gf_malloc(sizeof(GF_AV1Config));
-
-@@ -1374,7 +1375,7 @@ void AV1_RewriteESDescriptorEx(GF_MPEGVi
- av1->emul_esd->decoderConfig->avgBitrate = btrt->avgBitrate;
- av1->emul_esd->decoderConfig->maxBitrate = btrt->maxBitrate;
- }
-- if (av1->av1_config) {
-+ if (av1->av1_config && av1->av1_config->config) {
- GF_AV1Config *av1_cfg = AV1_DuplicateConfig(av1->av1_config->config);
- if (av1_cfg) {
- gf_odf_av1_cfg_write(av1_cfg, &av1->emul_esd->decoderConfig->decoderSpecificInfo->data, &av1->emul_esd->decoderConfig->decoderSpecificInfo->dataLength);
-@@ -2275,7 +2276,7 @@ GF_AV1Config *gf_isom_av1_config_get(GF_
- trak = gf_isom_get_track_from_file(the_file, trackNumber);
- if (!trak || !trak->Media || !DescriptionIndex) return NULL;
- entry = (GF_MPEGVisualSampleEntryBox*)gf_list_get(trak->Media->information->sampleTable->SampleDescription->child_boxes, DescriptionIndex - 1);
-- if (!entry || !entry->av1_config) return NULL;
-+ if (!entry || !entry->av1_config|| !entry->av1_config->config) return NULL;
- return AV1_DuplicateConfig(entry->av1_config->config);
- }
-
gcc-optflags.patch
dont-err-build-on-uknown-system.patch
-CVE-2021-30014_CVE-2021-30020_CVE-2021-30022.patch
-CVE-2020-35979.patch
-CVE-2020-35981.patch
-CVE-2020-35982.patch
-CVE-2021-28300.patch
-CVE-2021-29279.patch
-CVE-2021-31255.patch
-CVE-2021-31256.patch
-CVE-2021-31261.patch
-CVE-2021-30015.patch
-CVE-2021-30019.patch
-CVE-2021-30199.patch
-CVE-2021-31257.patch
-CVE-2021-31258.patch
-CVE-2021-31260.patch
-CVE-2021-31262.patch
-talos-2021-1297.patch
-talos-2021-1298.patch
-talos-2021-1299.patch
+++ /dev/null
-Backport of https://github.com/gpac/gpac/commit/b515fd04f5f00f4a99df741042f1efb31ad56351
-https://talosintelligence.com/vulnerability_reports/TALOS-2021-1297
-
---- gpac-1.0.1+dfsg1.orig/src/isomedia/box_code_base.c
-+++ gpac-1.0.1+dfsg1/src/isomedia/box_code_base.c
-@@ -46,7 +46,7 @@ GF_Err co64_box_read(GF_Box *s,GF_BitStr
-
- ISOM_DECREASE_SIZE(ptr, 4)
-
-- if (ptr->nb_entries > ptr->size / 8) {
-+ if ((u64)ptr->nb_entries > ptr->size / 8 || (u64)ptr->nb_entries > (u64)SIZE_MAX/sizeof(u64)) {
- GF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, ("[iso file] Invalid number of entries %d in co64\n", ptr->nb_entries));
- return GF_ISOM_INVALID_FILE;
- }
-@@ -392,7 +392,7 @@ GF_Err ctts_box_read(GF_Box *s, GF_BitSt
- ISOM_DECREASE_SIZE(ptr, 4);
- ptr->nb_entries = gf_bs_read_u32(bs);
-
-- if (ptr->nb_entries > ptr->size / 8) {
-+ if (ptr->nb_entries > ptr->size / 8 || (u64)ptr->nb_entries > (u64)SIZE_MAX/sizeof(GF_DttsEntry) ) {
- GF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, ("[iso file] Invalid number of entries %d in ctts\n", ptr->nb_entries));
- return GF_ISOM_INVALID_FILE;
- }
-@@ -3194,6 +3194,10 @@ GF_Err tfra_box_read(GF_Box *s, GF_BitSt
- }
-
- if (ptr->nb_entries) {
-+ if ((u64)ptr->nb_entries > (u64)SIZE_MAX/sizeof(GF_RandomAccessEntry)) {
-+ GF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, ("[iso file] Invalid number of entries %d in traf\n", ptr->nb_entries));
-+ return GF_ISOM_INVALID_FILE;
-+ }
- p = (GF_RandomAccessEntry *) gf_malloc(sizeof(GF_RandomAccessEntry) * ptr->nb_entries);
- if (!p) return GF_OUT_OF_MEM;
- }
-@@ -5104,7 +5108,7 @@ GF_Err stco_box_read(GF_Box *s, GF_BitSt
-
- ISOM_DECREASE_SIZE(ptr, 4);
- ptr->nb_entries = gf_bs_read_u32(bs);
-- if (ptr->nb_entries > ptr->size / 4) {
-+ if (ptr->nb_entries > ptr->size / 4 || (u64)ptr->nb_entries > (u64)SIZE_MAX/sizeof(u32)) {
- GF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, ("[iso file] Invalid number of entries %d in stco\n", ptr->nb_entries));
- return GF_ISOM_INVALID_FILE;
- }
-@@ -5236,7 +5240,7 @@ GF_Err stsc_box_read(GF_Box *s, GF_BitSt
- ISOM_DECREASE_SIZE(ptr, 4);
- ptr->nb_entries = gf_bs_read_u32(bs);
-
-- if (ptr->nb_entries > ptr->size / 12) {
-+ if (ptr->nb_entries > ptr->size / 12 || (u64)ptr->nb_entries > (u64)SIZE_MAX/sizeof(GF_StscEntry)) {
- GF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, ("[iso file] Invalid number of entries %d in stsc\n", ptr->nb_entries));
- return GF_ISOM_INVALID_FILE;
- }
-@@ -5575,6 +5579,10 @@ GF_Err stsz_box_read(GF_Box *s, GF_BitSt
- }
- }
- }
-+ if (ptr->sampleCount && (u64)ptr->sampleCount > (u64)SIZE_MAX/sizeof(u32)) {
-+ GF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, ("[iso file] Invalid number of entries %d in stsz\n", ptr->sampleCount));
-+ return GF_ISOM_INVALID_FILE;
-+ }
- if (s->type == GF_ISOM_BOX_TYPE_STSZ) {
- if (! ptr->sampleSize && ptr->sampleCount) {
- if (ptr->sampleCount > ptr->size / 4) {
-@@ -5779,7 +5787,7 @@ GF_Err stts_box_read(GF_Box *s, GF_BitSt
-
- ISOM_DECREASE_SIZE(ptr, 4);
- ptr->nb_entries = gf_bs_read_u32(bs);
-- if (ptr->size < ptr->nb_entries * 8) {
-+ if (ptr->size / 8 < ptr->nb_entries || (u64)ptr->nb_entries > (u64)SIZE_MAX/sizeof(GF_SttsEntry)) {
- GF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, ("[iso file] Invalid number of entries %d in stts\n", ptr->nb_entries));
- return GF_ISOM_INVALID_FILE;
- }
-@@ -7276,6 +7284,10 @@ GF_Err trun_box_read(GF_Box *s, GF_BitSt
- if (ptr->sample_count * 4 > ptr->size) {
- ISOM_DECREASE_SIZE(ptr, ptr->sample_count*4);
- }
-+ if ((u64)ptr->sample_count > (u64)SIZE_MAX/sizeof(GF_TrunEntry)) {
-+ GF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, ("[iso file] Invalid number of samples %d in trun\n", ptr->sample_count));
-+ return GF_ISOM_INVALID_FILE;
-+ }
- ptr->samples = gf_malloc(sizeof(GF_TrunEntry) * ptr->sample_count);
- if (!ptr->samples) return GF_OUT_OF_MEM;
- ptr->sample_alloc = ptr->nb_samples = ptr->sample_count;
-@@ -8786,7 +8798,7 @@ GF_Err ssix_box_read(GF_Box *s, GF_BitSt
- ISOM_DECREASE_SIZE(ptr, 4)
- ptr->subsegment_count = gf_bs_read_u32(bs);
- //each subseg has at least one range_count (4 bytes), abort if not enough bytes (broken box)
-- if (ptr->size < ptr->subsegment_count*4)
-+ if (ptr->size / 4 < ptr->subsegment_count || (u64)ptr->subsegment_count > (u64)SIZE_MAX/sizeof(GF_SubsegmentInfo))
- return GF_ISOM_INVALID_FILE;
-
- GF_SAFE_ALLOC_N(ptr->subsegments, ptr->subsegment_count, GF_SubsegmentInfo);
-@@ -8797,7 +8809,7 @@ GF_Err ssix_box_read(GF_Box *s, GF_BitSt
- ISOM_DECREASE_SIZE(ptr, 4)
- subseg->range_count = gf_bs_read_u32(bs);
- //each range is 4 bytes, abort if not enough bytes
-- if (ptr->size < subseg->range_count*4)
-+ if (ptr->size / 4 < subseg->range_count || (u64)subseg->range_count > (u64)SIZE_MAX/sizeof(GF_SubsegmentRangeInfo))
- return GF_ISOM_INVALID_FILE;
- subseg->ranges = (GF_SubsegmentRangeInfo*) gf_malloc(sizeof(GF_SubsegmentRangeInfo) * subseg->range_count);
- if (!subseg->ranges) return GF_OUT_OF_MEM;
-@@ -8979,6 +8991,11 @@ GF_Err pcrb_box_read(GF_Box *s,GF_BitStr
- ISOM_DECREASE_SIZE(ptr, 4);
- ptr->subsegment_count = gf_bs_read_u32(bs);
-
-+ if ((u64)ptr->subsegment_count > ptr->size / 8 || (u64)ptr->subsegment_count > (u64)SIZE_MAX/sizeof(u64)) {
-+ GF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, ("[iso file] Invalid number of subsegment %d in pcrb\n", ptr->subsegment_count));
-+ return GF_ISOM_INVALID_FILE;
-+ }
-+
- ptr->pcr_values = gf_malloc(sizeof(u64)*ptr->subsegment_count);
- if (!ptr->pcr_values) return GF_OUT_OF_MEM;
- for (i=0; i<ptr->subsegment_count; i++) {
-@@ -9303,7 +9320,7 @@ GF_Err sbgp_box_read(GF_Box *s, GF_BitSt
- }
- ptr->entry_count = gf_bs_read_u32(bs);
-
-- if (ptr->size < sizeof(GF_SampleGroupEntry)*ptr->entry_count)
-+ if (ptr->size < sizeof(GF_SampleGroupEntry)*ptr->entry_count || (u64)ptr->entry_count > (u64)SIZE_MAX/sizeof(GF_SampleGroupEntry))
- return GF_ISOM_INVALID_FILE;
-
- ptr->sample_entries = gf_malloc(sizeof(GF_SampleGroupEntry)*ptr->entry_count);
-@@ -9860,7 +9877,7 @@ GF_Err saio_box_read(GF_Box *s, GF_BitSt
-
- if (ptr->entry_count) {
- u32 i;
-- if (ptr->size < (ptr->version == 0 ? 4 : 8) * ptr->entry_count)
-+ if (ptr->size / (ptr->version == 0 ? 4 : 8) < ptr->entry_count || (u64)ptr->entry_count > (u64)SIZE_MAX/sizeof(u64))
- return GF_ISOM_INVALID_FILE;
- ptr->offsets = gf_malloc(sizeof(u64)*ptr->entry_count);
- if (!ptr->offsets)
-@@ -10368,7 +10385,7 @@ GF_Err fpar_box_read(GF_Box *s, GF_BitSt
-
- ISOM_DECREASE_SIZE(ptr, (ptr->version ? 4 : 2) );
- ptr->nb_entries = gf_bs_read_int(bs, ptr->version ? 32 : 16);
-- if (ptr->nb_entries > UINT_MAX / 6)
-+ if (ptr->nb_entries > ptr->size / 6 || (u64)ptr->nb_entries > (u64)SIZE_MAX/sizeof(FilePartitionEntry))
- return GF_ISOM_INVALID_FILE;
-
- ISOM_DECREASE_SIZE(ptr, ptr->nb_entries * 6 );
-@@ -10454,6 +10471,11 @@ GF_Err fecr_box_read(GF_Box *s, GF_BitSt
- ISOM_DECREASE_SIZE(ptr, (ptr->version ? 4 : 2) );
- ptr->nb_entries = gf_bs_read_int(bs, ptr->version ? 32 : 16);
-
-+ if (ptr->nb_entries > ptr->size / (ptr->version ? 8 : 6) || (u64)ptr->nb_entries > (u64)SIZE_MAX/sizeof(FECReservoirEntry) ) {
-+ GF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, ("[iso file] Invalid number of entries %d in fecr\n", ptr->nb_entries));
-+ return GF_ISOM_INVALID_FILE;
-+ }
-+
- ISOM_DECREASE_SIZE(ptr, ptr->nb_entries * (ptr->version ? 8 : 6) );
- GF_SAFE_ALLOC_N(ptr->entries, ptr->nb_entries, FECReservoirEntry);
- if (!ptr->entries) return GF_OUT_OF_MEM;
+++ /dev/null
-Backport of https://github.com/gpac/gpac/commit/8cd33e8977fd5f4215e4b67c309fd403762bfeb7
-
-https://talosintelligence.com/vulnerability_reports/TALOS-2021-1298
-
---- gpac-1.0.1+dfsg1.orig/src/isomedia/box_code_base.c
-+++ gpac-1.0.1+dfsg1/src/isomedia/box_code_base.c
-@@ -1653,17 +1653,23 @@ GF_Err hdlr_box_read(GF_Box *s, GF_BitSt
- gf_bs_set_cookie(bs, cookie);
-
- if (ptr->size) {
-- ptr->nameUTF8 = (char*)gf_malloc((u32) ptr->size);
-+ u32 name_size = (u32) ptr->size;
-+ if (name_size < 1) {
-+ GF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, ("[iso file] Invalid size %llu in hdlr\n", ptr->size));
-+ return GF_ISOM_INVALID_FILE;
-+ }
-+ ptr->nameUTF8 = (char*)gf_malloc(name_size);
- if (!ptr->nameUTF8) return GF_OUT_OF_MEM;
-- gf_bs_read_data(bs, ptr->nameUTF8, (u32) ptr->size);
-+ gf_bs_read_data(bs, ptr->nameUTF8, name_size);
-
- //patch for old QT files - we cannot rely on checking if str[0]==len(str+1) since we may have
- //cases where the first character of the string decimal value is indeed the same as the string length!!
- //we had this issue with encryption_import test
- //we therefore only check if last char is null, and if not so assume old QT style
-- if (ptr->nameUTF8[ptr->size-1]) {
-- memmove(ptr->nameUTF8, ptr->nameUTF8+1, sizeof(char) * (u32) (ptr->size-1) );
-- ptr->nameUTF8[ptr->size-1] = 0;
-+ if (ptr->nameUTF8[name_size-1]) {
-+ if (name_size > 1)
-+ memmove(ptr->nameUTF8, ptr->nameUTF8+1, sizeof(char) * (u32) (name_size-1) );
-+ ptr->nameUTF8[name_size-1] = 0;
- ptr->store_counted_string = GF_TRUE;
- }
- }
-@@ -6687,6 +6693,10 @@ GF_Err stri_box_read(GF_Box *s, GF_BitSt
- ptr->alternate_group = gf_bs_read_u16(bs);
- ptr->sub_track_id = gf_bs_read_u32(bs);
- ptr->attribute_count = ptr->size / 4;
-+ if ((u64)ptr->attribute_count > (u64)SIZE_MAX/sizeof(u32)) {
-+ GF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, ("[iso file] Invalid size %llu in stri\n", ptr->size));
-+ return GF_ISOM_INVALID_FILE;
-+ }
- GF_SAFE_ALLOC_N(ptr->attribute_list, (size_t)ptr->attribute_count, u32);
- if (!ptr->attribute_list) return GF_OUT_OF_MEM;
- for (i = 0; i < ptr->attribute_count; i++) {
-@@ -10972,6 +10982,10 @@ GF_Err trik_box_read(GF_Box *s,GF_BitStr
- u32 i;
- GF_TrickPlayBox *ptr = (GF_TrickPlayBox *) s;
- ptr->entry_count = (u32) ptr->size;
-+ if ((u64)ptr->entry_count > (u64)SIZE_MAX/sizeof(GF_TrickPlayBoxEntry)) {
-+ GF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, ("[iso file] Invalid size %llu in trik\n", ptr->size));
-+ return GF_ISOM_INVALID_FILE;
-+ }
- ptr->entries = (GF_TrickPlayBoxEntry *) gf_malloc(ptr->entry_count * sizeof(GF_TrickPlayBoxEntry) );
- if (!ptr->entries) return GF_OUT_OF_MEM;
-
+++ /dev/null
-Backport of https://github.com/gpac/gpac/commit/bbd741e0e5a6e7e1e90a73c350acc061dde9450b
-
-NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2021-1299
-
---- gpac-1.0.1+dfsg1.orig/src/isomedia/box_code_base.c
-+++ gpac-1.0.1+dfsg1/src/isomedia/box_code_base.c
-@@ -577,10 +577,15 @@ GF_Err url_box_read(GF_Box *s, GF_BitStr
- GF_DataEntryURLBox *ptr = (GF_DataEntryURLBox *)s;
-
- if (ptr->size) {
-- ptr->location = (char*)gf_malloc((u32) ptr->size);
-+ u32 location_size = (u32) ptr->size;
-+ if (location_size < 1) {
-+ GF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, ("[iso file] Invalid size %llu in svhd box\n", ptr->size));
-+ return GF_ISOM_INVALID_FILE;
-+ }
-+ ptr->location = (char*)gf_malloc(location_size);
- if (! ptr->location) return GF_OUT_OF_MEM;
-- gf_bs_read_data(bs, ptr->location, (u32)ptr->size);
-- if (ptr->location[ptr->size-1]) {
-+ gf_bs_read_data(bs, ptr->location, location_size);
-+ if (ptr->location[location_size-1]) {
- GF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, ("[iso file] url box location is not 0-terminated\n" ));
- return GF_ISOM_INVALID_FILE;
- }
-@@ -1894,6 +1899,12 @@ GF_Err sdp_box_read(GF_Box *s, GF_BitStr
- if (ptr == NULL) return GF_BAD_PARAM;
-
- length = (u32) (ptr->size);
-+
-+ if (length >= (u32)0xFFFFFFFF) {
-+ GF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, ("[iso file] Invalid length %lu in sdp box\n", length));
-+ return GF_ISOM_INVALID_FILE;
-+ }
-+
- //sdp text has no delimiter !!!
- ptr->sdpText = (char*)gf_malloc(sizeof(char) * (length+1));
- if (!ptr->sdpText) return GF_OUT_OF_MEM;
-@@ -1951,6 +1962,12 @@ GF_Err rtp_hnti_box_read(GF_Box *s, GF_B
- ptr->subType = gf_bs_read_u32(bs);
-
- length = (u32) (ptr->size);
-+
-+ if (length >= (u32)0xFFFFFFFF) {
-+ GF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, ("[iso file] Invalid length %lu in rtp_hnti box\n", length));
-+ return GF_ISOM_INVALID_FILE;
-+ }
-+
- //sdp text has no delimiter !!!
- ptr->sdpText = (char*)gf_malloc(sizeof(char) * (length+1));
- if (!ptr->sdpText) return GF_OUT_OF_MEM;
-@@ -2614,6 +2631,12 @@ GF_Err name_box_read(GF_Box *s, GF_BitSt
- GF_NameBox *ptr = (GF_NameBox *)s;
-
- length = (u32) (ptr->size);
-+
-+ if (length >= (u32)0xFFFFFFFF) {
-+ GF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, ("[iso file] Invalid length %lu in name box\n", length));
-+ return GF_ISOM_INVALID_FILE;
-+ }
-+
- ptr->string = (char*)gf_malloc(sizeof(char) * (length+1));
- if (! ptr->string) return GF_OUT_OF_MEM;
-
-@@ -8437,6 +8460,10 @@ void txtc_box_del(GF_Box *s)
- GF_Err txtc_box_read(GF_Box *s, GF_BitStream *bs)
- {
- GF_TextConfigBox *ptr = (GF_TextConfigBox*)s;
-+ if ((u32)ptr->size >= (u32)0xFFFFFFFF) {
-+ GF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, ("[iso file] Invalid size %llu in txtc box\n", ptr->size));
-+ return GF_ISOM_INVALID_FILE;
-+ }
- ptr->config = (char *)gf_malloc(sizeof(char)*((u32) ptr->size+1));
- if (!ptr->config) return GF_OUT_OF_MEM;
- gf_bs_read_data(bs, ptr->config, (u32) ptr->size);
projects / gpac.git / commitdiff