fix DoS in function BS_ReadByte, CVE-2022-29339

diff --git a/debian/patches/CVE-2022-29339.patch b/debian/patches/CVE-2022-29339.patch
new file mode 100644 (file)
index 0000000..f9470e2
--- /dev/null
+++ b/debian/patches/CVE-2022-29339.patch
@@ -0,0 +1,74 @@
+commit c4c76cc6e71f063d7d4664fa803ffea284e69ed9 (HEAD -> master)
+Author: jeanlf <jeanlf@gpac.io>
+Date:   Tue Apr 12 10:56:15 2022 +0200
+
+    fixed #2165
+
+diff --git a/src/isomedia/avc_ext.c b/src/isomedia/avc_ext.c
+index d4a58492b..365fa6b94 100644
+--- a/src/isomedia/avc_ext.c
++++ b/src/isomedia/avc_ext.c
+@@ -3523,6 +3523,11 @@ GF_Err gf_isom_oinf_read_entry(void *entry, GF_BitStream *bs)
+                       op->layers_info[j].layer_id = gf_bs_read_int(bs, 6);
+                       op->layers_info[j].is_outputlayer = gf_bs_read_int(bs, 1) ? GF_TRUE : GF_FALSE;
+                       op->layers_info[j].is_alternate_outputlayer = gf_bs_read_int(bs, 1) ? GF_TRUE : GF_FALSE;
++
++                      if (gf_bs_is_overflow(bs)) {
++                              gf_free(op);
++                              return GF_NON_COMPLIANT_BITSTREAM;
++                      }
+               }
+               op->minPicWidth = gf_bs_read_u16(bs);
+               op->minPicHeight = gf_bs_read_u16(bs);
+@@ -3542,6 +3547,10 @@ GF_Err gf_isom_oinf_read_entry(void *entry, GF_BitStream *bs)
+                       op->maxBitRate = gf_bs_read_u32(bs);
+                       op->avgBitRate = gf_bs_read_u32(bs);
+               }
++              if (gf_bs_is_overflow(bs)) {
++                      gf_free(op);
++                      return GF_NON_COMPLIANT_BITSTREAM;
++              }
+               gf_list_add(ptr->operating_points, op);
+       }
+       count = gf_bs_read_u8(bs);
+@@ -3561,6 +3570,10 @@ GF_Err gf_isom_oinf_read_entry(void *entry, GF_BitStream *bs)
+                       if (ptr->scalability_mask & (1 << j))
+                               dep->dimension_identifier[j] = gf_bs_read_u8(bs);
+               }
++              if (gf_bs_is_overflow(bs)) {
++                      gf_free(dep);
++                      return GF_NON_COMPLIANT_BITSTREAM;
++              }
+               gf_list_add(ptr->dependency_layers, dep);
+       }
+ 
+diff --git a/src/utils/bitstream.c b/src/utils/bitstream.c
+index 6ea644ca1..a446499c6 100644
+--- a/src/utils/bitstream.c
++++ b/src/utils/bitstream.c
+@@ -375,9 +375,12 @@ static u8 BS_ReadByte(GF_BitStream *bs)
+               bs_flush_write_cache(bs);
+ 
+       is_eos = gf_feof(bs->stream);
++      //cache not fully read, reset EOS
++      if (bs->cache_read && (bs->cache_read_pos<bs->cache_read_size))
++              is_eos = GF_FALSE;
+ 
+       /*we are in FILE mode, test for end of file*/
+-      if (!is_eos || bs->cache_read) {
++      if (!is_eos) {
+               u8 res;
+               Bool loc_eos=GF_FALSE;
+               assert(bs->position<=bs->size);
+@@ -408,7 +411,10 @@ bs_eof:
+               bs->EndOfStream(bs->par);
+               if (!bs->overflow_state) bs->overflow_state = 1;
+       } else {
+-              GF_LOG(GF_LOG_ERROR, GF_LOG_CORE, ("[BS] Attempt to overread bitstream\n"));
++              if (!bs->overflow_state) {
++                      bs->overflow_state = 1;
++                      GF_LOG(GF_LOG_ERROR, GF_LOG_CORE, ("[BS] Attempt to overread bitstream\n"));
++              }
+       }
+       assert(bs->position <= 1+bs->size);
+       return 0;

diff --git a/debian/patches/series b/debian/patches/series
index db87f3b6ecb0ef8c6b1987e5234b5837cce33fe4..9740ec7be7328c0b6b82dbd988b682303a470cef 100644 (file)
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,2 +1,3 @@
 gcc-optflags.patch
 dont-err-build-on-uknown-system.patch
+CVE-2022-29339.patch