--- /dev/null
+commit 1c449a34fe0b50aaffb881bfb9d7c5ab0bb18cdd
+Author: Aurelien David <aurelien.david@telecom-paristech.fr>
+Date: Fri Jan 11 14:05:16 2019 +0100
+Description: CVE-2018-20763
+
+ add some boundary checks on gf_text_get_utf8_line (#1188)
+
+--- a/src/media_tools/text_import.c
++++ b/src/media_tools/text_import.c
+@@ -201,49 +201,76 @@ char *gf_text_get_utf8_line(char *szLine
+ if (unicode_type<=1) {
+ j=0;
+ len = (u32) strlen(szLine);
+- for (i=0; i<len; i++) {
++ for (i=0; i<len && j < sizeof(szLineConv) - 1; i++, j++) {
++
+ if (!unicode_type && (szLine[i] & 0x80)) {
+ /*non UTF8 (likely some win-CP)*/
+ if ((szLine[i+1] & 0xc0) != 0x80) {
+- szLineConv[j] = 0xc0 | ( (szLine[i] >> 6) & 0x3 );
+- j++;
+- szLine[i] &= 0xbf;
++ if (j + 1 < sizeof(szLineConv) - 1) {
++ szLineConv[j] = 0xc0 | ((szLine[i] >> 6) & 0x3);
++ j++;
++ szLine[i] &= 0xbf;
++ }
++ else
++ break;
+ }
+ /*UTF8 2 bytes char*/
+ else if ( (szLine[i] & 0xe0) == 0xc0) {
+- szLineConv[j] = szLine[i];
+- i++;
+- j++;
++
++ // don't cut multibyte in the middle in there is no more room in dest
++ if (j + 1 < sizeof(szLineConv) - 1 && i + 1 < len) {
++ szLineConv[j] = szLine[i];
++ i++;
++ j++;
++ }
++ else {
++ break;
++ }
+ }
+ /*UTF8 3 bytes char*/
+ else if ( (szLine[i] & 0xf0) == 0xe0) {
+- szLineConv[j] = szLine[i];
+- i++;
+- j++;
+- szLineConv[j] = szLine[i];
+- i++;
+- j++;
++ if (j + 2 < sizeof(szLineConv) - 1 && i + 2 < len) {
++ szLineConv[j] = szLine[i];
++ i++;
++ j++;
++ szLineConv[j] = szLine[i];
++ i++;
++ j++;
++ }
++ else {
++ break;
++ }
+ }
+ /*UTF8 4 bytes char*/
+ else if ( (szLine[i] & 0xf8) == 0xf0) {
+- szLineConv[j] = szLine[i];
+- i++;
+- j++;
+- szLineConv[j] = szLine[i];
+- i++;
+- j++;
+- szLineConv[j] = szLine[i];
+- i++;
+- j++;
++ if (j + 3 < sizeof(szLineConv) - 1 && i + 3 < len) {
++ szLineConv[j] = szLine[i];
++ i++;
++ j++;
++ szLineConv[j] = szLine[i];
++ i++;
++ j++;
++ szLineConv[j] = szLine[i];
++ i++;
++ j++;
++ }
++ else {
++ break;
++ }
+ } else {
+ i+=1;
+ continue;
+ }
+ }
+- szLineConv[j] = szLine[i];
+- j++;
++ if (j < sizeof(szLineConv)-1 && i<len)
++ szLineConv[j] = szLine[i];
++
+ }
+- szLineConv[j] = 0;
++ if (j >= sizeof(szLineConv))
++ szLineConv[sizeof(szLineConv) - 1] = 0;
++ else
++ szLineConv[j] = 0;
++
+ strcpy(szLine, szLineConv);
+ return sOK;
+ }
projects / gpac.git / commitdiff