CVE-2018-7752

author Debian Multimedia Maintainers <debian-multimedia@lists.debian.org>

Fri, 15 Feb 2019 11:43:22 +0000 (06:43 -0500)

committer Reinhard Tartler <siretart@tauware.de>

Fri, 15 Feb 2019 11:43:22 +0000 (06:43 -0500)
author Debian Multimedia Maintainers <debian-multimedia@lists.debian.org>
Fri, 15 Feb 2019 11:43:22 +0000 (06:43 -0500)
committer Reinhard Tartler <siretart@tauware.de>
Fri, 15 Feb 2019 11:43:22 +0000 (06:43 -0500)
diff --git a/include/gpac/tools.h b/include/gpac/tools.h

index a799f8c26f4e29f16174e4e1814e5d2a72d6d0b6..44affa6597006682b3c2700bdf0f155322393a51 100644 (file)
--- a/include/gpac/tools.h
+++ b/include/gpac/tools.h
@@ -1067,6 +1067,7 @@ void gf_fm_request_call(u32 type, u32 param, int *value);
  
  /* \endcond */
  
+#define ARRAY_LENGTH(a) (sizeof(a) / sizeof((a)[0]))
  
  #ifdef __cplusplus
  }
diff --git a/src/isomedia/avc_ext.c b/src/isomedia/avc_ext.c

index 933ef5a4613ef703f7befd3c9a5f90fc0ae18f27..cc78cd5baa91d01c1235f9dced179a0ce3d30b6f 100644 (file)
--- a/src/isomedia/avc_ext.c
+++ b/src/isomedia/avc_ext.c
@@ -2361,6 +2361,8 @@ GF_Err gf_isom_oinf_read_entry(void *entry, GF_BitStream *bs)
                 op->output_layer_set_idx = gf_bs_read_u16(bs);
                 op->max_temporal_id = gf_bs_read_u8(bs);
                 op->layer_count = gf_bs_read_u8(bs);
+               if (op->layer_count > ARRAY_LENGTH(op->layers_info))
+                       return GF_NON_COMPLIANT_BITSTREAM;
                 for (j = 0; j < op->layer_count; j++) {
                         op->layers_info[j].ptl_idx = gf_bs_read_u8(bs);
                         op->layers_info[j].layer_id = gf_bs_read_int(bs, 6);
diff --git a/src/media_tools/av_parsers.c b/src/media_tools/av_parsers.c

index 9cb8d13d6cd9dbe6f47a8609a6bda83a045bb8e6..d5a98108015145345d373550b2f48a7c311d2068 100644 (file)
--- a/src/media_tools/av_parsers.c
+++ b/src/media_tools/av_parsers.c
@@ -2386,6 +2386,10 @@ s32 gf_media_avc_read_sps(const char *sps_data, u32 sps_size, AVCState *avc, u32
                 sps->offset_for_non_ref_pic = bs_get_se(bs);
                 sps->offset_for_top_to_bottom_field = bs_get_se(bs);
                 sps->poc_cycle_length = bs_get_ue(bs);
+               if (sps->poc_cycle_length > ARRAY_LENGTH(sps->offset_for_ref_frame)) {
+                       GF_LOG(GF_LOG_ERROR, GF_LOG_CODING, ("[avc-h264] offset_for_ref_frame overflow from poc_cycle_length\n"));
+                       goto exit;
+               }
                 for(i=0; i<sps->poc_cycle_length; i++) sps->offset_for_ref_frame[i] = bs_get_se(bs);
         }
         if (sps->poc_type > 2) {
author	Debian Multimedia Maintainers <debian-multimedia@lists.debian.org>
	Fri, 15 Feb 2019 11:43:22 +0000 (06:43 -0500)
committer	Reinhard Tartler <siretart@tauware.de>
	Fri, 15 Feb 2019 11:43:22 +0000 (06:43 -0500)
include/gpac/tools.h		patch \| blob \| history
src/isomedia/avc_ext.c		patch \| blob \| history
src/media_tools/av_parsers.c		patch \| blob \| history