CVE-2022-29339

commit c4c76cc6e71f063d7d4664fa803ffea284e69ed9 (HEAD -> master)
Author: jeanlf <jeanlf@gpac.io>
Date:   Tue Apr 12 10:56:15 2022 +0200

    fixed #2165

Gbp-Pq: Name CVE-2022-29339.patch

diff --git a/src/isomedia/avc_ext.c b/src/isomedia/avc_ext.c
index d4a58492bb58a2d4037cccd145375c7c903885ec..365fa6b940e4333d578b1f287645d73b939472aa 100644 (file)
--- a/src/isomedia/avc_ext.c
+++ b/src/isomedia/avc_ext.c
@@ -3523,6 +3523,11 @@ GF_Err gf_isom_oinf_read_entry(void *entry, GF_BitStream *bs)
                        op->layers_info[j].layer_id = gf_bs_read_int(bs, 6);
                        op->layers_info[j].is_outputlayer = gf_bs_read_int(bs, 1) ? GF_TRUE : GF_FALSE;
                        op->layers_info[j].is_alternate_outputlayer = gf_bs_read_int(bs, 1) ? GF_TRUE : GF_FALSE;
+
+                       if (gf_bs_is_overflow(bs)) {
+                               gf_free(op);
+                               return GF_NON_COMPLIANT_BITSTREAM;
+                       }
                }
                op->minPicWidth = gf_bs_read_u16(bs);
                op->minPicHeight = gf_bs_read_u16(bs);
@@ -3542,6 +3547,10 @@ GF_Err gf_isom_oinf_read_entry(void *entry, GF_BitStream *bs)
                        op->maxBitRate = gf_bs_read_u32(bs);
                        op->avgBitRate = gf_bs_read_u32(bs);
                }
+               if (gf_bs_is_overflow(bs)) {
+                       gf_free(op);
+                       return GF_NON_COMPLIANT_BITSTREAM;
+               }
                gf_list_add(ptr->operating_points, op);
        }
        count = gf_bs_read_u8(bs);
@@ -3561,6 +3570,10 @@ GF_Err gf_isom_oinf_read_entry(void *entry, GF_BitStream *bs)
                        if (ptr->scalability_mask & (1 << j))
                                dep->dimension_identifier[j] = gf_bs_read_u8(bs);
                }
+               if (gf_bs_is_overflow(bs)) {
+                       gf_free(dep);
+                       return GF_NON_COMPLIANT_BITSTREAM;
+               }
                gf_list_add(ptr->dependency_layers, dep);
        }
 

diff --git a/src/utils/bitstream.c b/src/utils/bitstream.c
index 6ea644ca121ddf3ec6b7ef8fedda0b7802172751..a446499c669f289596e2e52acf83c256144514c8 100644 (file)
--- a/src/utils/bitstream.c
+++ b/src/utils/bitstream.c
@@ -375,9 +375,12 @@ static u8 BS_ReadByte(GF_BitStream *bs)
                bs_flush_write_cache(bs);
 
        is_eos = gf_feof(bs->stream);
+       //cache not fully read, reset EOS
+       if (bs->cache_read && (bs->cache_read_pos<bs->cache_read_size))
+               is_eos = GF_FALSE;
 
        /*we are in FILE mode, test for end of file*/
-       if (!is_eos || bs->cache_read) {
+       if (!is_eos) {
                u8 res;
                Bool loc_eos=GF_FALSE;
                assert(bs->position<=bs->size);
@@ -408,7 +411,10 @@ bs_eof:
                bs->EndOfStream(bs->par);
                if (!bs->overflow_state) bs->overflow_state = 1;
        } else {
-               GF_LOG(GF_LOG_ERROR, GF_LOG_CORE, ("[BS] Attempt to overread bitstream\n"));
+               if (!bs->overflow_state) {
+                       bs->overflow_state = 1;
+                       GF_LOG(GF_LOG_ERROR, GF_LOG_CORE, ("[BS] Attempt to overread bitstream\n"));
+               }
        }
        assert(bs->position <= 1+bs->size);
        return 0;