From: Debian Multimedia Maintainers <debian-multimedia@lists.debian.org>
Date: Tue, 7 Mar 2023 11:41:07 +0000 (-0500)
Subject: CVE-2022-38530
X-Git-Tag: archive/raspbian/2.0.0+dfsg1-4+rpi1^2~4
X-Git-Url: https://dgit.raspbian.org/?a=commitdiff_plain;h=103f4efe89c7fa80a6b8ab698db10bb9a7c2c335;p=gpac.git

CVE-2022-38530

commit 4e56ad72ac1afb4e049a10f2d99e7512d7141f9d
Author: jeanlf <jeanlf@gpac.io>
Date:   Tue Jul 12 18:29:36 2022 +0200

    fixed #2216


Gbp-Pq: Name CVE-2022-38530.patch
---

diff --git a/applications/mp4box/main.c b/applications/mp4box/main.c
index 1b3fb4f..fd0036d 100644
--- a/applications/mp4box/main.c
+++ b/applications/mp4box/main.c
@@ -3602,7 +3602,7 @@ GF_Err HintFile(GF_ISOFile *file, u32 MTUSize, u32 max_ptime, u32 rtp_rate, u32
 
 		if (e) {
 			M4_LOG(GF_LOG_ERROR, ("Error while hinting (%s)\n", gf_error_to_string(e)));
-			if (!nb_done) return e;
+			return e;
 		}
 		init_payt++;
 		nb_done ++;
diff --git a/src/odf/desc_private.c b/src/odf/desc_private.c
index a22c7cc..33313f1 100644
--- a/src/odf/desc_private.c
+++ b/src/odf/desc_private.c
@@ -273,7 +273,7 @@ GF_Err gf_odf_delete_descriptor(GF_Descriptor *desc)
 //
 //		READERS
 //
-GF_Err gf_odf_read_descriptor(GF_BitStream *bs, GF_Descriptor *desc, u32 DescSize)
+static GF_Err gf_odf_read_descriptor_internal(GF_BitStream *bs, GF_Descriptor *desc, u32 DescSize)
 {
 	switch (desc->tag) {
 	case GF_ODF_IOD_TAG :
@@ -368,7 +368,17 @@ GF_Err gf_odf_read_descriptor(GF_BitStream *bs, GF_Descriptor *desc, u32 DescSiz
 	return GF_OK;
 }
 
-
+GF_Err gf_odf_read_descriptor(GF_BitStream *bs, GF_Descriptor *desc, u32 DescSize)
+{
+	u64 cookie = gf_bs_get_cookie(bs);
+	//we allow 100 max desc in a hierarchy - see issue 2216
+	if (cookie>100)
+		return GF_NON_COMPLIANT_BITSTREAM;
+	gf_bs_set_cookie(bs, cookie+1);
+	GF_Err e = gf_odf_read_descriptor_internal(bs, desc, DescSize);
+	gf_bs_set_cookie(bs, cookie);
+	return e;
+}