--- /dev/null
+commit bceb03fd2be95097a7b409ea59914f332fb6bc86
+Author: Aurelien David <aurelien.david@telecom-paristech.fr>
+Date: Thu Jun 28 13:34:08 2018 +0200
+Description: CVE-2018-13005, CVE-2018-13006
+
+ fixed 2 possible heap overflows (inc. #1088)
+
+--- a/include/gpac/internal/isomedia_dev.h
++++ b/include/gpac/internal/isomedia_dev.h
+@@ -3668,7 +3668,7 @@ GF_GenericSubtitleSample *gf_isom_parse_
+ char __ptype[5];\
+ strcpy(__ptype, gf_4cc_to_str(__parent->type) );\
+ GF_LOG(GF_LOG_WARNING, GF_LOG_CONTAINER, ("[iso file] extra box %s found in %s, deleting\n", gf_4cc_to_str(__abox->type), __ptype)); \
+- gf_isom_box_del(a);\
++ gf_isom_box_del(__abox);\
+ return GF_OK;\
+ }
+
+--- a/src/isomedia/box_code_base.c
++++ b/src/isomedia/box_code_base.c
+@@ -632,7 +632,7 @@ GF_Err urn_Read(GF_Box *s, GF_BitStream
+
+ //then get the break
+ i = 0;
+- while ( (tmpName[i] != 0) && (i < to_read) ) {
++ while ( (i < to_read) && (tmpName[i] != 0) ) {
+ i++;
+ }
+ //check the data is consistent
+--- a/src/isomedia/box_dump.c
++++ b/src/isomedia/box_dump.c
+@@ -484,7 +484,7 @@ GF_Err hdlr_dump(GF_Box *a, FILE * trace
+ {
+ GF_HandlerBox *p = (GF_HandlerBox *)a;
+ gf_isom_box_dump_start(a, "HandlerBox", trace);
+- if (p->nameUTF8 && (u32) p->nameUTF8[0] == strlen(p->nameUTF8+1)) {
++ if (p->nameUTF8 && (u32) p->nameUTF8[0] == strlen(p->nameUTF8)-1) {
+ fprintf(trace, "hdlrType=\"%s\" Name=\"%s\" ", gf_4cc_to_str(p->handlerType), p->nameUTF8+1);
+ } else {
+ fprintf(trace, "hdlrType=\"%s\" Name=\"%s\" ", gf_4cc_to_str(p->handlerType), p->nameUTF8);
+@@ -4157,9 +4157,9 @@ static void oinf_entry_dump(GF_Operating
+ fprintf(trace, " maxPicWidth=\"%u\" maxPicHeight=\"%u\"", op->maxPicWidth, op->maxPicHeight);
+ fprintf(trace, " maxChromaFormat=\"%u\" maxBitDepth=\"%u\"", op->maxChromaFormat, op->maxBitDepth);
+ fprintf(trace, " frame_rate_info_flag=\"%u\" bit_rate_info_flag=\"%u\"", op->frame_rate_info_flag, op->bit_rate_info_flag);
+- if (op->frame_rate_info_flag)
++ if (op->frame_rate_info_flag)
+ fprintf(trace, " avgFrameRate=\"%u\" constantFrameRate=\"%u\"", op->avgFrameRate, op->constantFrameRate);
+- if (op->bit_rate_info_flag)
++ if (op->bit_rate_info_flag)
+ fprintf(trace, " maxBitRate=\"%u\" avgBitRate=\"%u\"", op->maxBitRate, op->avgBitRate);
+ fprintf(trace, "/>\n");
+ }
+@@ -4261,14 +4261,14 @@ static void nalm_dump(FILE * trace, char
+ fprintf(trace, "</NALUMap>\n");
+ return;
+ }
+-
++
+ bs = gf_bs_new(data, data_size, GF_BITSTREAM_READ);
+ gf_bs_read_int(bs, 6);
+ large_size = gf_bs_read_int(bs, 1);
+ rle = gf_bs_read_int(bs, 1);
+ entry_count = gf_bs_read_int(bs, large_size ? 16 : 8);
+ fprintf(trace, "<NALUMap rle=\"%d\" large_size=\"%d\">\n", rle, large_size);
+-
++
+ while (entry_count) {
+ u32 ID;
+ fprintf(trace, "<NALUMapEntry ");
+@@ -4335,7 +4335,7 @@ GF_Err sgpd_dump(GF_Box *a, FILE * trace
+ case GF_ISOM_SAMPLE_GROUP_TRIF:
+ trif_dump(trace, (char *) ((GF_DefaultSampleGroupDescriptionEntry*)entry)->data, ((GF_DefaultSampleGroupDescriptionEntry*)entry)->length);
+ break;
+-
++
+ case GF_ISOM_SAMPLE_GROUP_NALM:
+ nalm_dump(trace, (char *) ((GF_DefaultSampleGroupDescriptionEntry*)entry)->data, ((GF_DefaultSampleGroupDescriptionEntry*)entry)->length);
+ break;
+@@ -4501,7 +4501,7 @@ GF_Err tenc_dump(GF_Box *a, FILE * trace
+ fprintf(trace, "\" KID=\"");
+ }
+ dump_data_hex(trace, (char *) ptr->KID, 16);
+- if (ptr->version)
++ if (ptr->version)
+ fprintf(trace, "\" crypt_byte_block=\"%d\" skip_byte_block=\"%d", ptr->crypt_byte_block, ptr->skip_byte_block);
+ fprintf(trace, "\">\n");
+ gf_isom_box_dump_done("TrackEncryptionBox", a, trace);
projects / gpac.git / commitdiff