talos-2021-1299

Backport of https://github.com/gpac/gpac/commit/bbd741e0e5a6e7e1e90a73c350acc061dde9450b

Backport of https://github.com/gpac/gpac/commit/bbd741e0e5a6e7e1e90a73c350acc061dde9450b

NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2021-1299

Gbp-Pq: Name talos-2021-1299.patch

diff --git a/src/isomedia/box_code_base.c b/src/isomedia/box_code_base.c
index 1f30b52102fd87063c39ba634cab5c603e73ce76..be4a85fefbeea9a4e0920e1b314a39c2f0bec8f1 100644 (file)
--- a/src/isomedia/box_code_base.c
+++ b/src/isomedia/box_code_base.c
@@ -577,10 +577,15 @@ GF_Err url_box_read(GF_Box *s, GF_BitStream *bs)
        GF_DataEntryURLBox *ptr = (GF_DataEntryURLBox *)s;
 
        if (ptr->size) {
-               ptr->location = (char*)gf_malloc((u32) ptr->size);
+               u32 location_size = (u32) ptr->size;
+               if (location_size < 1) {
+                       GF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, ("[iso file] Invalid size %llu in svhd box\n", ptr->size));
+                       return GF_ISOM_INVALID_FILE;
+               }
+               ptr->location = (char*)gf_malloc(location_size);
                if (! ptr->location) return GF_OUT_OF_MEM;
-               gf_bs_read_data(bs, ptr->location, (u32)ptr->size);
-               if (ptr->location[ptr->size-1]) {
+               gf_bs_read_data(bs, ptr->location, location_size);
+               if (ptr->location[location_size-1]) {
                        GF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, ("[iso file] url box location is not 0-terminated\n" ));
                        return GF_ISOM_INVALID_FILE;
                }
@@ -1894,6 +1899,12 @@ GF_Err sdp_box_read(GF_Box *s, GF_BitStream *bs)
        if (ptr == NULL) return GF_BAD_PARAM;
 
        length = (u32) (ptr->size);
+
+       if (length >= (u32)0xFFFFFFFF) {
+               GF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, ("[iso file] Invalid length %lu in sdp box\n", length));
+               return GF_ISOM_INVALID_FILE;
+       }
+
        //sdp text has no delimiter !!!
        ptr->sdpText = (char*)gf_malloc(sizeof(char) * (length+1));
        if (!ptr->sdpText) return GF_OUT_OF_MEM;
@@ -1951,6 +1962,12 @@ GF_Err rtp_hnti_box_read(GF_Box *s, GF_BitStream *bs)
        ptr->subType = gf_bs_read_u32(bs);
 
        length = (u32) (ptr->size);
+
+       if (length >= (u32)0xFFFFFFFF) {
+               GF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, ("[iso file] Invalid length %lu in rtp_hnti box\n", length));
+               return GF_ISOM_INVALID_FILE;
+       }
+
        //sdp text has no delimiter !!!
        ptr->sdpText = (char*)gf_malloc(sizeof(char) * (length+1));
        if (!ptr->sdpText) return GF_OUT_OF_MEM;
@@ -2614,6 +2631,12 @@ GF_Err name_box_read(GF_Box *s, GF_BitStream *bs)
        GF_NameBox *ptr = (GF_NameBox *)s;
 
        length = (u32) (ptr->size);
+
+       if (length >= (u32)0xFFFFFFFF) {
+               GF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, ("[iso file] Invalid length %lu in name box\n", length));
+               return GF_ISOM_INVALID_FILE;
+       }
+
        ptr->string = (char*)gf_malloc(sizeof(char) * (length+1));
        if (! ptr->string) return GF_OUT_OF_MEM;
 
@@ -8437,6 +8460,10 @@ void txtc_box_del(GF_Box *s)
 GF_Err txtc_box_read(GF_Box *s, GF_BitStream *bs)
 {
        GF_TextConfigBox *ptr = (GF_TextConfigBox*)s;
+       if ((u32)ptr->size >= (u32)0xFFFFFFFF) {
+               GF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, ("[iso file] Invalid size %llu in txtc box\n", ptr->size));
+               return GF_ISOM_INVALID_FILE;
+       }
        ptr->config = (char *)gf_malloc(sizeof(char)*((u32) ptr->size+1));
        if (!ptr->config) return GF_OUT_OF_MEM;
        gf_bs_read_data(bs, ptr->config, (u32) ptr->size);