Cherrypicked fixes for multiple security issues:

(Closes: #987280, #987323, #987374)
 - CVE-2021-30014/CVE-2021-30020/CVE-2021-30022
 - CVE-2020-35979
 - CVE-2020-35981
 - CVE-2020-35982
 - CVE-2021-28300
 - CVE-2021-29279
 - CVE-2021-31255
 - CVE-2021-31256
 - CVE-2021-31261
 - CVE-2021-30015
 - CVE-2021-30019
 - CVE-2021-30199
 - CVE-2021-31257
 - CVE-2021-31258
 - CVE-2021-31260
 - CVE-2021-31262

diff --git a/debian/patches/CVE-2020-35979.patch b/debian/patches/CVE-2020-35979.patch
new file mode 100644 (file)
index 0000000..0c5bb10
--- /dev/null
+++ b/debian/patches/CVE-2020-35979.patch
@@ -0,0 +1,28 @@
+From b15020f54aff24aaeb64b80771472be8e64a7adc Mon Sep 17 00:00:00 2001
+From: jeanlf <jeanlf@gpac.io>
+Date: Mon, 4 Jan 2021 11:24:26 +0100
+Subject: [PATCH] fixed #1662
+
+---
+ src/media_tools/isom_hinter.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/src/media_tools/isom_hinter.c b/src/media_tools/isom_hinter.c
+index 8af1d04b7f..2d05934f6d 100644
+--- a/src/media_tools/isom_hinter.c
++++ b/src/media_tools/isom_hinter.c
+@@ -793,8 +793,12 @@ GF_Err gf_hinter_track_process(GF_RTPHinter *tkHint)
+                               }
+                               remain -= size;
+                               tkHint->rtp_p->sl_header.accessUnitEndFlag = remain ? 0 : 1;
+-                              e = gf_rtp_builder_process(tkHint->rtp_p, ptr, size, (u8) !remain, samp->dataLength, duration, (u8) (descIndex + GF_RTP_TX3G_SIDX_OFFSET) );
+-                              ptr += size;
++                              if (!size) {
++                                      GF_LOG(GF_LOG_WARNING, GF_LOG_RTP, ("[rtp hinter] Broken AVC nalu encapsulation: NALU size is 0, ignoring it\n", size));
++                              } else {
++                                      e = gf_rtp_builder_process(tkHint->rtp_p, ptr, size, (u8) !remain, samp->dataLength, duration, (u8) (descIndex + GF_RTP_TX3G_SIDX_OFFSET) );
++                                      ptr += size;
++                              }
+                               tkHint->rtp_p->sl_header.accessUnitStartFlag = 0;
+                       }
+               } else {

diff --git a/debian/patches/CVE-2020-35981.patch b/debian/patches/CVE-2020-35981.patch
new file mode 100644 (file)
index 0000000..c9e2e57
--- /dev/null
+++ b/debian/patches/CVE-2020-35981.patch
@@ -0,0 +1,28 @@
+From dae9900580a8888969481cd72035408091edb11b Mon Sep 17 00:00:00 2001
+From: jeanlf <jeanlf@gpac.io>
+Date: Mon, 4 Jan 2021 11:06:52 +0100
+Subject: [PATCH] fixed #1659
+
+---
+ src/isomedia/isom_store.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/src/isomedia/isom_store.c b/src/isomedia/isom_store.c
+index 37dfbe55a9..ee2b2cfaf2 100644
+--- a/src/isomedia/isom_store.c
++++ b/src/isomedia/isom_store.c
+@@ -150,8 +150,14 @@ GF_Err SetupWriters(MovieWriter *mw, GF_List *writers, u8 interleaving)
+ 
+       trackCount = gf_list_count(movie->moov->trackList);
+       for (i = 0; i < trackCount; i++) {
++              GF_SampleTableBox *stbl;
+               trak = gf_isom_get_track(movie->moov, i+1);
+ 
++              stbl = (trak->Media && trak->Media->information) ? trak->Media->information->sampleTable : NULL;
++              if (!stbl || !stbl->SampleSize || !stbl->ChunkOffset || !stbl->SampleToChunk) {
++                      return GF_ISOM_INVALID_FILE;
++              }
++
+               GF_SAFEALLOC(writer, TrackWriter);
+               if (!writer) goto exit;
+               writer->sampleNumber = 1;

diff --git a/debian/patches/CVE-2020-35982.patch b/debian/patches/CVE-2020-35982.patch
new file mode 100644 (file)
index 0000000..8269076
--- /dev/null
+++ b/debian/patches/CVE-2020-35982.patch
@@ -0,0 +1,22 @@
+From a4eb327049132359cae54b59faec9e2f14c5a619 Mon Sep 17 00:00:00 2001
+From: jeanlf <jeanlf@gpac.io>
+Date: Mon, 4 Jan 2021 11:10:48 +0100
+Subject: [PATCH] fixed #1660
+
+---
+ src/media_tools/isom_hinter.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/src/media_tools/isom_hinter.c b/src/media_tools/isom_hinter.c
+index 5bf89cb5ca..8af1d04b7f 100644
+--- a/src/media_tools/isom_hinter.c
++++ b/src/media_tools/isom_hinter.c
+@@ -967,6 +967,8 @@ GF_Err gf_hinter_track_finalize(GF_RTPHinter *tkHint, Bool AddSystemInfo)
+               if (avcc) {
+                       sprintf(sdpLine, "a=fmtp:%d profile-level-id=%02X%02X%02X; packetization-mode=1", tkHint->rtp_p->PayloadType, avcc->AVCProfileIndication, avcc->profile_compatibility, avcc->AVCLevelIndication);
+               } else {
++                      if (!svcc)
++                              return GF_ISOM_INVALID_FILE;
+                       sprintf(sdpLine, "a=fmtp:%d profile-level-id=%02X%02X%02X; packetization-mode=1", tkHint->rtp_p->PayloadType, svcc->AVCProfileIndication, svcc->profile_compatibility, svcc->AVCLevelIndication);
+               }
+ 

diff --git a/debian/patches/CVE-2021-28300.patch b/debian/patches/CVE-2021-28300.patch
new file mode 100644 (file)
index 0000000..2e39c52
--- /dev/null
+++ b/debian/patches/CVE-2021-28300.patch
@@ -0,0 +1,20 @@
+From c4a5109dad73abe25ad12d8d529a728ae98d78ca Mon Sep 17 00:00:00 2001
+From: jeanlf <jeanlf@gpac.io>
+Date: Thu, 11 Mar 2021 15:28:56 +0100
+Subject: [PATCH] fixed #1702
+
+---
+ src/isomedia/track.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- gpac-1.0.1+dfsg1.orig/src/isomedia/track.c
++++ gpac-1.0.1+dfsg1/src/isomedia/track.c
+@@ -1019,7 +1019,7 @@ GF_Err MergeTrack(GF_TrackBox *trak, GF_
+                                       break;
+                               }
+                       }
+-                      if (saiz && saio) {
++                      if (saiz && saio && senc) {
+                               for (i = 0; i < saiz->sample_count; i++) {
+                                       GF_CENCSampleAuxInfo *sai;
+ 

diff --git a/debian/patches/CVE-2021-29279.patch b/debian/patches/CVE-2021-29279.patch
new file mode 100644 (file)
index 0000000..0ea538a
--- /dev/null
+++ b/debian/patches/CVE-2021-29279.patch
@@ -0,0 +1,58 @@
+From da69ad1f970a7e17c865eaec9af98cc84df10d5b Mon Sep 17 00:00:00 2001
+From: jeanlf <jeanlf@gpac.io>
+Date: Mon, 29 Mar 2021 09:17:40 +0200
+Subject: [PATCH] fixed 1718
+
+---
+ src/filters/reframe_flac.c | 19 ++++++++++++++++++-
+ 1 file changed, 18 insertions(+), 1 deletion(-)
+
+--- gpac-1.0.1+dfsg1.orig/src/filters/reframe_flac.c
++++ gpac-1.0.1+dfsg1/src/filters/reframe_flac.c
+@@ -59,6 +59,7 @@ typedef struct
+       Bool is_playing;
+       Bool is_file;
+       Bool initial_play_done, file_loaded;
++      Bool in_error;
+ 
+       Bool initialized;
+       u32 sample_rate, nb_channels, bits_per_sample, block_size;
+@@ -378,6 +379,9 @@ GF_Err flac_dmx_process(GF_Filter *filte
+       u64 cts = GF_FILTER_NO_TS;
+       FLACHeader hdr;
+ 
++      if (ctx->in_error)
++              return GF_NON_COMPLIANT_BITSTREAM;
++
+       //always reparse duration
+       if (!ctx->duration.num)
+               flac_dmx_check_dur(filter, ctx);
+@@ -484,7 +488,12 @@ GF_Err flac_dmx_process(GF_Filter *filte
+                       gf_bs_reassign_buffer(ctx->bs, ctx->flac_buffer, size);
+                       u32 magic = gf_bs_read_u32(ctx->bs);
+                       if (magic != GF_4CC('f','L','a','C')) {
+-
++                              GF_LOG(GF_LOG_ERROR, GF_LOG_PARSER, ("[FLACDmx] invalid FLAC magic\n"));
++                              ctx->in_error = GF_TRUE;
++                              ctx->flac_buffer_size = 0;
++                              if (pck)
++                                      gf_filter_pid_drop_packet(ctx->ipid);
++                              return GF_NON_COMPLIANT_BITSTREAM;
+                       }
+                       while (gf_bs_available(ctx->bs)) {
+                               Bool last = gf_bs_read_int(ctx->bs, 1);
+@@ -514,6 +523,14 @@ GF_Err flac_dmx_process(GF_Filter *filte
+                               }
+                               if (last) break;
+                       }
++                      if (!dsi_end) {
++                              GF_LOG(GF_LOG_ERROR, GF_LOG_PARSER, ("[FLACDmx] invalid FLAC header\n"));
++                              ctx->in_error = GF_TRUE;
++                              ctx->flac_buffer_size = 0;
++                              if (pck)
++                                      gf_filter_pid_drop_packet(ctx->ipid);
++                              return GF_NON_COMPLIANT_BITSTREAM;
++                      }
+                       flac_dmx_check_pid(filter, ctx, ctx->flac_buffer+4, dsi_end-4);
+                       remain -= size;
+                       start += size;

diff --git a/debian/patches/CVE-2021-30014_CVE-2021-30020_CVE-2021-30022.patch b/debian/patches/CVE-2021-30014_CVE-2021-30020_CVE-2021-30022.patch
new file mode 100644 (file)
index 0000000..42294f2
--- /dev/null
+++ b/debian/patches/CVE-2021-30014_CVE-2021-30020_CVE-2021-30022.patch
@@ -0,0 +1,67 @@
+Backport of 
+
+From 51cdb67ff7c5f1242ac58c5aa603ceaf1793b788 Mon Sep 17 00:00:00 2001
+From: jeanlf <jeanlf@gpac.io>
+Date: Mon, 29 Mar 2021 09:34:02 +0200
+Subject: [PATCH] add safety in avc/hevc/vvc sps/pps/vps ID check - cf #1720
+ #1721 #1722
+
+--- gpac-1.0.1+dfsg1.orig/src/media_tools/av_parsers.c
++++ gpac-1.0.1+dfsg1/src/media_tools/av_parsers.c
+@@ -5012,10 +5012,7 @@ static s32 gf_media_avc_read_sps_bs_inte
+       by subset SPS. According to the SVC standard, subset SPS can have the same sps_id
+       than its base layer, but it does not refer to the same SPS. */
+       sps_id = gf_bs_get_ue(bs) + GF_SVC_SSPS_ID_SHIFT * subseq_sps;
+-      if (sps_id >= 32) {
+-              return -1;
+-      }
+-      if (sps_id < 0) {
++      if ((sps_id < 0) || (sps_id >= 32)) {
+               return -1;
+       }
+ 
+@@ -5342,7 +5339,7 @@ static s32 gf_media_avc_read_pps_bs_inte
+               /*nal_hdr = */gf_bs_read_u8(bs);
+       }
+       pps_id = gf_bs_get_ue(bs);
+-      if (pps_id >= 255) {
++      if ((pps_id<0) || (pps_id >= 255)) {
+               return -1;
+       }
+       pps = &avc->pps[pps_id];
+@@ -5350,7 +5347,7 @@ static s32 gf_media_avc_read_pps_bs_inte
+ 
+       if (!pps->status) pps->status = 1;
+       pps->sps_id = gf_bs_get_ue(bs);
+-      if (pps->sps_id >= 32) {
++      if ((pps->sps_id<0) || (pps->sps_id >= 32)) {
+               pps->sps_id = 0;
+               return -1;
+       }
+@@ -6595,7 +6592,7 @@ s32 hevc_parse_slice_segment(GF_BitStrea
+       }
+ 
+       pps_id = gf_bs_get_ue(bs);
+-      if (pps_id >= 64)
++      if ((pps_id<0) || (pps_id >= 64))
+               return -1;
+ 
+       pps = &hevc->pps[pps_id];
+@@ -7409,7 +7406,7 @@ static s32 gf_media_hevc_read_vps_bs_int
+       //nalu header already parsed
+       vps_id = gf_bs_read_int(bs, 4);
+ 
+-      if (vps_id >= 16) return -1;
++      if ((vps_id<0) || (vps_id >= 16)) return -1;
+ 
+       vps = &hevc->vps[vps_id];
+       vps->bit_pos_vps_extensions = -1;
+@@ -7637,7 +7634,7 @@ static s32 gf_media_hevc_read_sps_bs_int
+ 
+       //nalu header already parsed
+       vps_id = gf_bs_read_int(bs, 4);
+-      if (vps_id >= 16) {
++      if ((vps_id<0) || (vps_id >= 16)) {
+               return -1;
+       }
+       memset(&ptl, 0, sizeof(ptl));

diff --git a/debian/patches/CVE-2021-30015.patch b/debian/patches/CVE-2021-30015.patch
new file mode 100644 (file)
index 0000000..632b8b0
--- /dev/null
+++ b/debian/patches/CVE-2021-30015.patch
@@ -0,0 +1,21 @@
+From 13dad7d5ef74ca2e6fe4010f5b03eb12e9bbe0ec Mon Sep 17 00:00:00 2001
+From: jeanlf <jeanlf@gpac.io>
+Date: Mon, 29 Mar 2021 09:21:51 +0200
+Subject: [PATCH] fixed #1719
+
+---
+ src/filters/reframe_av1.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- gpac-1.0.1+dfsg1.orig/src/filters/reframe_av1.c
++++ gpac-1.0.1+dfsg1/src/filters/reframe_av1.c
+@@ -718,6 +718,9 @@ static GF_Err av1dmx_parse_flush_sample(
+       GF_FilterPacket *pck;
+       u8 *output;
+ 
++      if (!ctx->opid)
++              return GF_NON_COMPLIANT_BITSTREAM;
++              
+       gf_bs_get_content_no_truncate(ctx->state.bs, &ctx->state.frame_obus, &pck_size, &ctx->state.frame_obus_alloc);
+ 
+       if (!pck_size) {

diff --git a/debian/patches/CVE-2021-30019.patch b/debian/patches/CVE-2021-30019.patch
new file mode 100644 (file)
index 0000000..d598629
--- /dev/null
+++ b/debian/patches/CVE-2021-30019.patch
@@ -0,0 +1,24 @@
+From 13dad7d5ef74ca2e6fe4010f5b03eb12e9bbe0ec Mon Sep 17 00:00:00 2001
+From: jeanlf <jeanlf@gpac.io>
+Date: Mon, 29 Mar 2021 09:21:51 +0200
+Subject: [PATCH] fixed #1719
+
+---
+ src/filters/reframe_av1.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- gpac-1.0.1+dfsg1.orig/src/filters/reframe_adts.c
++++ gpac-1.0.1+dfsg1/src/filters/reframe_adts.c
+@@ -683,6 +683,12 @@ GF_Err adts_dmx_process(GF_Filter *filte
+                       break;
+               }
+ 
++              if (ctx->hdr.frame_size < ctx->hdr.hdr_size) {
++                      GF_LOG(GF_LOG_WARNING, GF_LOG_PARSER, ("[ADTSDmx] Corrupted ADTS frame header, resyncing\n"));
++                      ctx->nb_frames = 0;
++                      goto drop_byte;
++              }
++
+               adts_dmx_check_pid(filter, ctx);
+ 
+               if (!ctx->is_playing) {

diff --git a/debian/patches/CVE-2021-30199.patch b/debian/patches/CVE-2021-30199.patch
new file mode 100644 (file)
index 0000000..2b627a0
--- /dev/null
+++ b/debian/patches/CVE-2021-30199.patch
@@ -0,0 +1,35 @@
+From b2db2f99b4c30f96e17b9a14537c776da6cb5dca Mon Sep 17 00:00:00 2001
+From: jeanlf <jeanlf@gpac.io>
+Date: Thu, 8 Apr 2021 09:29:42 +0200
+Subject: [PATCH] fixed #1728
+
+---
+ src/filters/reframe_latm.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- gpac-1.0.1+dfsg1.orig/src/filters/reframe_latm.c
++++ gpac-1.0.1+dfsg1/src/filters/reframe_latm.c
+@@ -424,8 +424,8 @@ GF_Err latm_dmx_process(GF_Filter *filte
+       GF_LATMDmxCtx *ctx = gf_filter_get_udta(filter);
+       GF_FilterPacket *pck, *dst_pck;
+       u32 pos;
+-      u8 *data, *output;
+-      u32 pck_size, prev_pck_size;
++      u8 *data=NULL, *output;
++      u32 pck_size=0, prev_pck_size;
+       u64 cts = GF_FILTER_NO_TS;
+ 
+       //always reparse duration
+@@ -448,10 +448,10 @@ GF_Err latm_dmx_process(GF_Filter *filte
+               } else {
+                       return GF_OK;
+               }
++      } else {
++              data = (char *) gf_filter_pck_get_data(pck, &pck_size);
+       }
+ 
+-      data = (char *) gf_filter_pck_get_data(pck, &pck_size);
+-
+       //input pid sets some timescale - we flushed pending data , update cts
+       if (ctx->timescale && pck) {
+               cts = gf_filter_pck_get_cts(pck);

diff --git a/debian/patches/CVE-2021-31255.patch b/debian/patches/CVE-2021-31255.patch
new file mode 100644 (file)
index 0000000..2a44594
--- /dev/null
+++ b/debian/patches/CVE-2021-31255.patch
@@ -0,0 +1,123 @@
+From 758135e91e623d7dfe7f6aaad7aeb3f791b7a4e5 Mon Sep 17 00:00:00 2001
+From: jeanlf <jeanlf@gpac.io>
+Date: Thu, 8 Apr 2021 10:07:35 +0200
+Subject: [PATCH] fixed #1733
+
+---
+ src/isomedia/box_code_adobe.c | 35 ++++++++++++++++++++++++++++++-----
+ 1 file changed, 30 insertions(+), 5 deletions(-)
+
+diff --git a/src/isomedia/box_code_adobe.c b/src/isomedia/box_code_adobe.c
+index ab5115f25a..711d84bf0d 100644
+--- a/src/isomedia/box_code_adobe.c
++++ b/src/isomedia/box_code_adobe.c
+@@ -79,6 +79,7 @@ GF_Err abst_box_read(GF_Box *s, GF_BitStream *bs)
+       int i;
+       u32 tmp_strsize;
+       char *tmp_str;
++      Bool zfound=GF_FALSE;
+       GF_Err e;
+ 
+       ISOM_DECREASE_SIZE(ptr, 25)
+@@ -102,10 +103,14 @@ GF_Err abst_box_read(GF_Box *s, GF_BitStream *bs)
+               ISOM_DECREASE_SIZE(ptr, 1)
+               tmp_str[i] = gf_bs_read_u8(bs);
+               tmp_strsize--;
+-              if (!tmp_str[i])
++              if (!tmp_str[i]) {
++                      zfound = GF_TRUE;
+                       break;
++              }
+               i++;
+       }
++      if (!zfound)
++              return GF_ISOM_INVALID_FILE;
+       if (i) {
+               ptr->movie_identifier = gf_strdup(tmp_str);
+       }
+@@ -114,15 +119,20 @@ GF_Err abst_box_read(GF_Box *s, GF_BitStream *bs)
+       ptr->server_entry_count = gf_bs_read_u8(bs);
+       for (i=0; i<ptr->server_entry_count; i++) {
+               int j=0;
++              zfound = GF_FALSE;
+               tmp_strsize=(u32)ptr->size;
+               while (tmp_strsize) {
+                       ISOM_DECREASE_SIZE(ptr, 1)
+                       tmp_str[j] = gf_bs_read_u8(bs);
+                       tmp_strsize--;
+-                      if (!tmp_str[j])
++                      if (!tmp_str[j]) {
++                              zfound = GF_TRUE;
+                               break;
++                      }
+                       j++;
+               }
++              if (!zfound)
++                      return GF_ISOM_INVALID_FILE;
+               if (j) {
+                       gf_list_insert(ptr->server_entry_table, gf_strdup(tmp_str), i);
+               }
+@@ -132,16 +142,21 @@ GF_Err abst_box_read(GF_Box *s, GF_BitStream *bs)
+       ptr->quality_entry_count = gf_bs_read_u8(bs);
+       for (i=0; i<ptr->quality_entry_count; i++) {
+               int j=0;
++              zfound = GF_FALSE;
+               tmp_strsize=(u32)ptr->size;
+               while (tmp_strsize) {
+                       ISOM_DECREASE_SIZE(ptr, 1)
+                       tmp_str[j] = gf_bs_read_u8(bs);
+                       tmp_strsize--;
+-                      if (!tmp_str[j])
++                      if (!tmp_str[j]) {
++                              zfound = GF_TRUE;
+                               break;
++                      }
+                       j++;
+               }
+ 
++              if (!zfound)
++                      return GF_ISOM_INVALID_FILE;
+               if (j) {
+                       gf_list_insert(ptr->quality_entry_table, gf_strdup(tmp_str), i);
+               }
+@@ -149,28 +164,38 @@ GF_Err abst_box_read(GF_Box *s, GF_BitStream *bs)
+ 
+       i=0;
+       tmp_strsize=(u32)ptr->size;
++      zfound = GF_FALSE;
+       while (tmp_strsize) {
+               ISOM_DECREASE_SIZE(ptr, 1)
+               tmp_str[i] = gf_bs_read_u8(bs);
+               tmp_strsize--;
+-              if (!tmp_str[i])
++              if (!tmp_str[i]) {
++                      zfound = GF_TRUE;
+                       break;
++              }
+               i++;
+       }
++      if (!zfound)
++              return GF_ISOM_INVALID_FILE;
+       if (i) {
+               ptr->drm_data = gf_strdup(tmp_str);
+       }
+ 
+       i=0;
+       tmp_strsize=(u32)ptr->size;
++      zfound = GF_FALSE;
+       while (tmp_strsize) {
+               ISOM_DECREASE_SIZE(ptr, 1)
+               tmp_str[i] = gf_bs_read_u8(bs);
+               tmp_strsize--;
+-              if (!tmp_str[i])
++              if (!tmp_str[i]) {
++                      zfound = GF_TRUE;
+                       break;
++              }
+               i++;
+       }
++      if (!zfound)
++              return GF_ISOM_INVALID_FILE;
+       if (i) {
+               ptr->meta_data = gf_strdup(tmp_str);
+       }

diff --git a/debian/patches/CVE-2021-31256.patch b/debian/patches/CVE-2021-31256.patch
new file mode 100644 (file)
index 0000000..d5b2896
--- /dev/null
+++ b/debian/patches/CVE-2021-31256.patch
@@ -0,0 +1,27 @@
+From 2da2f68bffd51d89b1d272d22aa8cc023c1c066e Mon Sep 17 00:00:00 2001
+From: jeanlf <jeanlf@gpac.io>
+Date: Fri, 12 Mar 2021 11:46:56 +0100
+Subject: [PATCH] fixed #1705
+
+---
+ src/isomedia/stbl_read.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/src/isomedia/stbl_read.c b/src/isomedia/stbl_read.c
+index ebfbe62abe..384d4f7827 100644
+--- a/src/isomedia/stbl_read.c
++++ b/src/isomedia/stbl_read.c
+@@ -419,11 +419,13 @@ GF_Err stbl_GetSampleInfos(GF_SampleTableBox *stbl, u32 sampleNumber, u64 *offse
+               if ( stbl->ChunkOffset->type == GF_ISOM_BOX_TYPE_STCO) {
+                       stco = (GF_ChunkOffsetBox *)stbl->ChunkOffset;
+                       if (!stco->offsets) return GF_ISOM_INVALID_FILE;
++                      if (stco->nb_entries < sampleNumber) return GF_ISOM_INVALID_FILE;
+ 
+                       (*offset) = (u64) stco->offsets[sampleNumber - 1];
+               } else {
+                       co64 = (GF_ChunkLargeOffsetBox *)stbl->ChunkOffset;
+                       if (!co64->offsets) return GF_ISOM_INVALID_FILE;
++                      if (co64->nb_entries < sampleNumber) return GF_ISOM_INVALID_FILE;
+ 
+                       (*offset) = co64->offsets[sampleNumber - 1];
+               }

diff --git a/debian/patches/CVE-2021-31257.patch b/debian/patches/CVE-2021-31257.patch
new file mode 100644 (file)
index 0000000..fbfe1da
--- /dev/null
+++ b/debian/patches/CVE-2021-31257.patch
@@ -0,0 +1,20 @@
+From 87afe070cd6866df7fe80f11b26ef75161de85e0 Mon Sep 17 00:00:00 2001
+From: jeanlf <jeanlf@gpac.io>
+Date: Thu, 8 Apr 2021 10:09:46 +0200
+Subject: [PATCH] fixed #1734
+
+---
+ applications/mp4box/main.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- gpac-1.0.1+dfsg1.orig/applications/mp4box/main.c
++++ gpac-1.0.1+dfsg1/applications/mp4box/main.c
+@@ -1296,7 +1296,7 @@ GF_Err HintFile(GF_ISOFile *file, u32 MT
+ 
+               streamType = 0;
+               esd = gf_isom_get_esd(file, i+1, 1);
+-              if (esd) {
++              if (esd && esd->decoderConfig) {
+                       streamType = esd->decoderConfig->streamType;
+                       if (!prev_ocr) {
+                               prev_ocr = esd->OCRESID;

diff --git a/debian/patches/CVE-2021-31258.patch b/debian/patches/CVE-2021-31258.patch
new file mode 100644 (file)
index 0000000..6405695
--- /dev/null
+++ b/debian/patches/CVE-2021-31258.patch
@@ -0,0 +1,71 @@
+From ebfa346eff05049718f7b80041093b4c5581c24e Mon Sep 17 00:00:00 2001
+From: jeanlf <jeanlf@gpac.io>
+Date: Fri, 12 Mar 2021 11:56:53 +0100
+Subject: [PATCH] fixed #1706
+
+---
+ src/isomedia/isom_read.c      |  1 +
+ src/isomedia/isom_write.c     | 13 ++++++++++---
+ src/media_tools/isom_hinter.c |  6 +++++-
+ 3 files changed, 16 insertions(+), 4 deletions(-)
+
+--- gpac-1.0.1+dfsg1.orig/src/isomedia/isom_read.c
++++ gpac-1.0.1+dfsg1/src/isomedia/isom_read.c
+@@ -3802,6 +3802,7 @@ u32 gf_isom_guess_specification(GF_ISOFi
+                       case GF_ISOM_SUBTYPE_MPEG4_CRYP:
+                       {
+                               GF_DecoderConfig *dcd = gf_isom_get_decoder_config(file, i+1, 1);
++                              if (!dcd) break;
+                               switch (dcd->streamType) {
+                               case GF_STREAM_VISUAL:
+                                       if (dcd->objectTypeIndication==GF_CODECID_MPEG4_PART2) nb_m4v++;
+--- gpac-1.0.1+dfsg1.orig/src/isomedia/isom_write.c
++++ gpac-1.0.1+dfsg1/src/isomedia/isom_write.c
+@@ -5224,6 +5224,7 @@ GF_Err gf_isom_set_extraction_slc(GF_ISO
+       GF_SampleEntryBox *entry;
+       GF_Err e;
+       GF_SLConfig **slc;
++      GF_ESDBox *esds;
+ 
+       trak = gf_isom_get_track_from_file(the_file, trackNumber);
+       if (!trak) return GF_BAD_PARAM;
+@@ -5234,15 +5235,21 @@ GF_Err gf_isom_set_extraction_slc(GF_ISO
+       //we must be sure we are not using a remote ESD
+       switch (entry->type) {
+       case GF_ISOM_BOX_TYPE_MP4S:
+-              if (((GF_MPEGSampleEntryBox *)entry)->esd->desc->slConfig->predefined != SLPredef_MP4) return GF_BAD_PARAM;
++              esds = ((GF_MPEGSampleEntryBox *)entry)->esd;
++              if (!esds || !esds->desc || !esds->desc->slConfig || (esds->desc->slConfig->predefined != SLPredef_MP4))
++                      return GF_ISOM_INVALID_FILE;
+               slc = & ((GF_MPEGSampleEntryBox *)entry)->slc;
+               break;
+       case GF_ISOM_BOX_TYPE_MP4A:
+-              if (((GF_MPEGAudioSampleEntryBox *)entry)->esd->desc->slConfig->predefined != SLPredef_MP4) return GF_BAD_PARAM;
++              esds = ((GF_MPEGAudioSampleEntryBox *)entry)->esd;
++              if (!esds || !esds->desc || !esds->desc->slConfig || (esds->desc->slConfig->predefined != SLPredef_MP4))
++                      return GF_ISOM_INVALID_FILE;
+               slc = & ((GF_MPEGAudioSampleEntryBox *)entry)->slc;
+               break;
+       case GF_ISOM_BOX_TYPE_MP4V:
+-              if (((GF_MPEGVisualSampleEntryBox *)entry)->esd->desc->slConfig->predefined != SLPredef_MP4) return GF_BAD_PARAM;
++              esds = ((GF_MPEGVisualSampleEntryBox *)entry)->esd;
++              if (!esds || !esds->desc || !esds->desc->slConfig || (esds->desc->slConfig->predefined != SLPredef_MP4))
++                      return GF_ISOM_INVALID_FILE;
+               slc = & ((GF_MPEGVisualSampleEntryBox *)entry)->slc;
+               break;
+       default:
+--- gpac-1.0.1+dfsg1.orig/src/media_tools/isom_hinter.c
++++ gpac-1.0.1+dfsg1/src/media_tools/isom_hinter.c
+@@ -641,7 +641,11 @@ GF_RTPHinter *gf_hinter_track_new(GF_ISO
+       if (hintType==GF_RTP_PAYT_MPEG4) {
+               tmp->rtp_p->slMap.CodecID = codecid;
+               /*set this SL for extraction.*/
+-              gf_isom_set_extraction_slc(file, TrackNum, 1, &my_sl);
++              *e = gf_isom_set_extraction_slc(file, TrackNum, 1, &my_sl);
++              if (*e) {
++                      gf_hinter_track_del(tmp);
++                      return NULL;
++              }
+       }
+       tmp->bandwidth = bandwidth;
+ 

diff --git a/debian/patches/CVE-2021-31260.patch b/debian/patches/CVE-2021-31260.patch
new file mode 100644 (file)
index 0000000..01f70ad
--- /dev/null
+++ b/debian/patches/CVE-2021-31260.patch
@@ -0,0 +1,36 @@
+From df8fffd839fe5ae9acd82d26fd48280a397411d9 Mon Sep 17 00:00:00 2001
+From: jeanlf <jeanlf@gpac.io>
+Date: Thu, 8 Apr 2021 10:21:26 +0200
+Subject: [PATCH] fixed #1736
+
+---
+ src/isomedia/track.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+--- gpac-1.0.1+dfsg1.orig/src/isomedia/track.c
++++ gpac-1.0.1+dfsg1/src/isomedia/track.c
+@@ -1003,10 +1003,13 @@ GF_Err MergeTrack(GF_TrackBox *trak, GF_
+                               if ((aux_info_type == GF_ISOM_CENC_SCHEME) || (aux_info_type == GF_ISOM_CBC_SCHEME) ||
+                                       (aux_info_type == GF_ISOM_CENS_SCHEME) || (aux_info_type == GF_ISOM_CBCS_SCHEME) ||
+                                       (gf_list_count(traf->sai_offsets) == 1)) {
+-                                      offset = saio->offsets[0] + moof_offset;
+-                                      nb_saio = saio->entry_count;
+-                                      break;
++                                      if (saio->offsets && saio->entry_count) {
++                                              offset = saio->offsets[0] + moof_offset;
++                                              nb_saio = saio->entry_count;
++                                              break;
++                                      }
+                               }
++                              saio = NULL;
+                       }
+                       for (i = 0; i < gf_list_count(traf->sai_sizes); i++) {
+                               saiz = (GF_SampleAuxiliaryInfoSizeBox *)gf_list_get(traf->sai_sizes, i);
+@@ -1018,6 +1021,7 @@ GF_Err MergeTrack(GF_TrackBox *trak, GF_
+                                       (gf_list_count(traf->sai_sizes) == 1)) {
+                                       break;
+                               }
++                              saiz = NULL;
+                       }
+                       if (saiz && saio && senc) {
+                               for (i = 0; i < saiz->sample_count; i++) {

diff --git a/debian/patches/CVE-2021-31261.patch b/debian/patches/CVE-2021-31261.patch
new file mode 100644 (file)
index 0000000..2865313
--- /dev/null
+++ b/debian/patches/CVE-2021-31261.patch
@@ -0,0 +1,24 @@
+From cd3738dea038dbd12e603ad48cd7373ae0440f65 Mon Sep 17 00:00:00 2001
+From: jeanlf <jeanlf@gpac.io>
+Date: Fri, 9 Apr 2021 11:12:47 +0200
+Subject: [PATCH] fixed #1737
+
+---
+ src/media_tools/isom_hinter.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/src/media_tools/isom_hinter.c b/src/media_tools/isom_hinter.c
+index 6aeb9d172..6c4da454a 100644
+--- a/src/media_tools/isom_hinter.c
++++ b/src/media_tools/isom_hinter.c
+@@ -402,8 +402,9 @@ GF_RTPHinter *gf_hinter_track_new(GF_ISOFile *file, u32 TrackNum,
+                               else if (gf_isom_has_sync_shadows(file, TrackNum) || gf_isom_has_sample_dependency(file, TrackNum)) {
+                                       flags |= GP_RTP_PCK_SYSTEMS_CAROUSEL;
+                               }
+-                              gf_odf_desc_del((GF_Descriptor*)esd);
+                       }
++                      if (esd)
++                              gf_odf_desc_del((GF_Descriptor*)esd);
+                       break;
+               case GF_ISOM_SUBTYPE_3GP_H263:
+                       hintType = GF_RTP_PAYT_H263;

diff --git a/debian/patches/CVE-2021-31262.patch b/debian/patches/CVE-2021-31262.patch
new file mode 100644 (file)
index 0000000..20c9d96
--- /dev/null
+++ b/debian/patches/CVE-2021-31262.patch
@@ -0,0 +1,39 @@
+From b2eab95e07cb5819375a50358d4806a8813b6e50 Mon Sep 17 00:00:00 2001
+From: jeanlf <jeanlf@gpac.io>
+Date: Fri, 9 Apr 2021 11:17:40 +0200
+Subject: [PATCH] fixed #1738
+
+---
+ src/isomedia/avc_ext.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+--- gpac-1.0.1+dfsg1.orig/src/isomedia/avc_ext.c
++++ gpac-1.0.1+dfsg1/src/isomedia/avc_ext.c
+@@ -1330,7 +1330,8 @@ static GF_Err gf_isom_check_mvc(GF_ISOFi
+       return GF_OK;
+ }
+ 
+-static GF_AV1Config* AV1_DuplicateConfig(GF_AV1Config const * const cfg) {
++static GF_AV1Config* AV1_DuplicateConfig(GF_AV1Config const * const cfg)
++{
+       u32 i = 0;
+       GF_AV1Config *out = gf_malloc(sizeof(GF_AV1Config));
+ 
+@@ -1374,7 +1375,7 @@ void AV1_RewriteESDescriptorEx(GF_MPEGVi
+               av1->emul_esd->decoderConfig->avgBitrate = btrt->avgBitrate;
+               av1->emul_esd->decoderConfig->maxBitrate = btrt->maxBitrate;
+       }
+-      if (av1->av1_config) {
++      if (av1->av1_config && av1->av1_config->config) {
+               GF_AV1Config *av1_cfg = AV1_DuplicateConfig(av1->av1_config->config);
+               if (av1_cfg) {
+                       gf_odf_av1_cfg_write(av1_cfg, &av1->emul_esd->decoderConfig->decoderSpecificInfo->data, &av1->emul_esd->decoderConfig->decoderSpecificInfo->dataLength);
+@@ -2275,7 +2276,7 @@ GF_AV1Config *gf_isom_av1_config_get(GF_
+       trak = gf_isom_get_track_from_file(the_file, trackNumber);
+       if (!trak || !trak->Media || !DescriptionIndex) return NULL;
+       entry = (GF_MPEGVisualSampleEntryBox*)gf_list_get(trak->Media->information->sampleTable->SampleDescription->child_boxes, DescriptionIndex - 1);
+-      if (!entry || !entry->av1_config) return NULL;
++      if (!entry || !entry->av1_config|| !entry->av1_config->config) return NULL;
+       return AV1_DuplicateConfig(entry->av1_config->config);
+ }
+ 

diff --git a/debian/patches/series b/debian/patches/series
index db87f3b6ecb0ef8c6b1987e5234b5837cce33fe4..0f766afa08fda3d8168d7737810d22db39d82c61 100644 (file)
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,2 +1,18 @@
 gcc-optflags.patch
 dont-err-build-on-uknown-system.patch
+CVE-2021-30014_CVE-2021-30020_CVE-2021-30022.patch
+CVE-2020-35979.patch
+CVE-2020-35981.patch
+CVE-2020-35982.patch
+CVE-2021-28300.patch
+CVE-2021-29279.patch
+CVE-2021-31255.patch
+CVE-2021-31256.patch
+CVE-2021-31261.patch
+CVE-2021-30015.patch
+CVE-2021-30019.patch
+CVE-2021-30199.patch
+CVE-2021-31257.patch
+CVE-2021-31258.patch
+CVE-2021-31260.patch
+CVE-2021-31262.patch