CVE-2022-3222

Origin: https://github.com/gpac/gpac/commit/4e7736d7ec7bf64026daa611da951993bb42fdaf
Reviewed-by: Aron Xu <aron@debian.org>
From 4e7736d7ec7bf64026daa611da951993bb42fdaf Mon Sep 17 00:00:00 2001
From: jeanlf <jeanlf@gpac.io>
Date: Mon, 12 Sep 2022 10:54:16 +0200
Subject: [PATCH] fixed #2238

Gbp-Pq: Name CVE-2022-3222.patch

diff --git a/src/bifs/script_dec.c b/src/bifs/script_dec.c
index 0edb501ad9e6d448932b8cc71c74dd2f7779e77e..cc6794aad3553cb9df62ca6d9a889e3260860522 100644 (file)
--- a/src/bifs/script_dec.c
+++ b/src/bifs/script_dec.c
@@ -40,6 +40,7 @@ typedef struct
        GF_List *identifiers;
        char *new_line;
        u32 indent;
+       u32 expr_stack_size;
 } ScriptParser;
 
 
@@ -169,6 +170,7 @@ GF_Err SFScript_Parse(GF_BifsDecoder *codec, SFScript *script_field, GF_BitStrea
        e = GF_OK;
        if (gf_node_get_tag(n) != TAG_MPEG4_Script) return GF_NON_COMPLIANT_BITSTREAM;
 
+       memset(&parser, 0, sizeof(ScriptParser));
        parser.codec = codec;
        parser.script = n;
        parser.bs = bs;
@@ -209,6 +211,10 @@ GF_Err SFScript_Parse(GF_BifsDecoder *codec, SFScript *script_field, GF_BitStrea
                SFS_Space(&parser);
                SFS_StatementBlock(&parser, GF_TRUE);
                SFS_Line(&parser);
+               if (codec->LastError) {
+                       e = codec->LastError;
+                       goto exit;
+               }
        }
 
        SFS_Line(&parser);
@@ -418,6 +424,7 @@ void SFS_CompoundExpression(ScriptParser *parser)
        if (parser->codec->LastError) return;
        SFS_Expression(parser);
        if (! gf_bs_read_int(parser->bs, 1)) return;
+       if (parser->codec->LastError) return;
        SFS_AddString(parser, ",");
        SFS_CompoundExpression(parser);
 }
@@ -430,12 +437,20 @@ void SFS_OptionalExpression(ScriptParser *parser)
        }
 }
 
-
+#define MAX_EXPR_STACK 500
 void SFS_Expression(ScriptParser *parser)
 {
        u32 val = gf_bs_read_int(parser->bs, NUMBITS_EXPR_TYPE);
        if (parser->codec->LastError) return;
 
+       //limit max expression stack size
+       parser->expr_stack_size++;
+       if (parser->expr_stack_size>MAX_EXPR_STACK) {
+               GF_LOG(GF_LOG_ERROR, GF_LOG_CODEC, ("[BIFS] Max stack size %d reached for expressions, not supported\n", MAX_EXPR_STACK))
+               parser->codec->LastError = GF_NON_COMPLIANT_BITSTREAM;
+               return;
+       }
+
        switch(val) {
        case ET_CURVED_EXPR:
                SFS_AddString(parser, "(");
@@ -675,6 +690,7 @@ void SFS_Expression(ScriptParser *parser)
                assert(0);
                break;
        }
+       parser->expr_stack_size--;
 }
 
 void SFS_NewObject(ScriptParser *parser)
@@ -691,6 +707,7 @@ void SFS_ArrayDeref(ScriptParser *parser)
 {
        if (parser->codec->LastError) return;
        SFS_Expression(parser);
+       if (parser->codec->LastError) return;
        SFS_AddString(parser, "[");
        SFS_CompoundExpression(parser);
        SFS_AddString(parser, "]");
@@ -709,6 +726,7 @@ void SFS_ObjectMemberAccess(ScriptParser *parser)
 {
        if (parser->codec->LastError) return;
        SFS_Expression(parser);
+       if (parser->codec->LastError) return;
        SFS_AddString(parser, ".");
        SFS_Identifier(parser);
 }
@@ -718,6 +736,7 @@ void SFS_ObjectMethodCall(ScriptParser *parser)
 {
        if (parser->codec->LastError) return;
        SFS_Expression(parser);
+       if (parser->codec->LastError) return;
        SFS_AddString(parser, ".");
        SFS_Identifier(parser);
        SFS_AddString(parser, "(");
@@ -732,6 +751,7 @@ void SFS_Params(ScriptParser *parser)
        val = gf_bs_read_int(parser->bs, 1);
        while (val) {
                SFS_Expression(parser);
+               if (parser->codec->LastError) return;
                val = gf_bs_read_int(parser->bs, 1);
                if(val) SFS_AddString(parser, ",");
        }