From: Debian Multimedia Maintainers <debian-multimedia@lists.debian.org>
Date: Thu, 19 Aug 2021 22:03:29 +0000 (+0100)
Subject: talos-2021-1297
X-Git-Tag: archive/raspbian/1.0.1+dfsg1-4+rpi1+deb11u1~2^2~3
X-Git-Url: https://dgit.raspbian.org/?a=commitdiff_plain;h=10f026f45ca3b3621ac325ba784329d7323a13dc;p=gpac.git

talos-2021-1297

Backport of https://github.com/gpac/gpac/commit/b515fd04f5f00f4a99df741042f1efb31ad56351
https://talosintelligence.com/vulnerability_reports/TALOS-2021-1297

Backport of https://github.com/gpac/gpac/commit/b515fd04f5f00f4a99df741042f1efb31ad56351
https://talosintelligence.com/vulnerability_reports/TALOS-2021-1297


Gbp-Pq: Name talos-2021-1297.patch
---

diff --git a/src/isomedia/box_code_base.c b/src/isomedia/box_code_base.c
index 809106b..ff8858a 100644
--- a/src/isomedia/box_code_base.c
+++ b/src/isomedia/box_code_base.c
@@ -46,7 +46,7 @@ GF_Err co64_box_read(GF_Box *s,GF_BitStream *bs)
 
 	ISOM_DECREASE_SIZE(ptr, 4)
 
-	if (ptr->nb_entries > ptr->size / 8) {
+	if ((u64)ptr->nb_entries > ptr->size / 8 || (u64)ptr->nb_entries > (u64)SIZE_MAX/sizeof(u64)) {
 		GF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, ("[iso file] Invalid number of entries %d in co64\n", ptr->nb_entries));
 		return GF_ISOM_INVALID_FILE;
 	}
@@ -392,7 +392,7 @@ GF_Err ctts_box_read(GF_Box *s, GF_BitStream *bs)
 	ISOM_DECREASE_SIZE(ptr, 4);
 	ptr->nb_entries = gf_bs_read_u32(bs);
 
-	if (ptr->nb_entries > ptr->size / 8) {
+	if (ptr->nb_entries > ptr->size / 8 || (u64)ptr->nb_entries > (u64)SIZE_MAX/sizeof(GF_DttsEntry) ) {
 		GF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, ("[iso file] Invalid number of entries %d in ctts\n", ptr->nb_entries));
 		return GF_ISOM_INVALID_FILE;
 	}
@@ -3194,6 +3194,10 @@ GF_Err tfra_box_read(GF_Box *s, GF_BitStream *bs)
 	}
 
 	if (ptr->nb_entries) {
+		if ((u64)ptr->nb_entries > (u64)SIZE_MAX/sizeof(GF_RandomAccessEntry)) {
+			GF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, ("[iso file] Invalid number of entries %d in traf\n", ptr->nb_entries));
+			return GF_ISOM_INVALID_FILE;
+		}
 		p = (GF_RandomAccessEntry *) gf_malloc(sizeof(GF_RandomAccessEntry) * ptr->nb_entries);
 		if (!p) return GF_OUT_OF_MEM;
 	}
@@ -5104,7 +5108,7 @@ GF_Err stco_box_read(GF_Box *s, GF_BitStream *bs)
 
 	ISOM_DECREASE_SIZE(ptr, 4);
 	ptr->nb_entries = gf_bs_read_u32(bs);
-	if (ptr->nb_entries > ptr->size / 4) {
+	if (ptr->nb_entries > ptr->size / 4 || (u64)ptr->nb_entries > (u64)SIZE_MAX/sizeof(u32)) {
 		GF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, ("[iso file] Invalid number of entries %d in stco\n", ptr->nb_entries));
 		return GF_ISOM_INVALID_FILE;
 	}
@@ -5236,7 +5240,7 @@ GF_Err stsc_box_read(GF_Box *s, GF_BitStream *bs)
 	ISOM_DECREASE_SIZE(ptr, 4);
 	ptr->nb_entries = gf_bs_read_u32(bs);
 
-	if (ptr->nb_entries > ptr->size / 12) {
+	if (ptr->nb_entries > ptr->size / 12 || (u64)ptr->nb_entries > (u64)SIZE_MAX/sizeof(GF_StscEntry)) {
 		GF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, ("[iso file] Invalid number of entries %d in stsc\n", ptr->nb_entries));
 		return GF_ISOM_INVALID_FILE;
 	}
@@ -5575,6 +5579,10 @@ GF_Err stsz_box_read(GF_Box *s, GF_BitStream *bs)
 			}
 		}
 	}
+	if (ptr->sampleCount && (u64)ptr->sampleCount > (u64)SIZE_MAX/sizeof(u32)) {
+		GF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, ("[iso file] Invalid number of entries %d in stsz\n", ptr->sampleCount));
+		return GF_ISOM_INVALID_FILE;
+	}
 	if (s->type == GF_ISOM_BOX_TYPE_STSZ) {
 		if (! ptr->sampleSize && ptr->sampleCount) {
 			if (ptr->sampleCount > ptr->size / 4) {
@@ -5779,7 +5787,7 @@ GF_Err stts_box_read(GF_Box *s, GF_BitStream *bs)
 
 	ISOM_DECREASE_SIZE(ptr, 4);
 	ptr->nb_entries = gf_bs_read_u32(bs);
-	if (ptr->size < ptr->nb_entries * 8) {
+	if (ptr->size / 8 < ptr->nb_entries || (u64)ptr->nb_entries > (u64)SIZE_MAX/sizeof(GF_SttsEntry)) {
 		GF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, ("[iso file] Invalid number of entries %d in stts\n", ptr->nb_entries));
 		return GF_ISOM_INVALID_FILE;
 	}
@@ -7276,6 +7284,10 @@ GF_Err trun_box_read(GF_Box *s, GF_BitStream *bs)
 		if (ptr->sample_count * 4 > ptr->size) {
 			ISOM_DECREASE_SIZE(ptr, ptr->sample_count*4);
 		}
+		if ((u64)ptr->sample_count > (u64)SIZE_MAX/sizeof(GF_TrunEntry)) {
+			GF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, ("[iso file] Invalid number of samples %d in trun\n", ptr->sample_count));
+			return GF_ISOM_INVALID_FILE;
+		}
 		ptr->samples = gf_malloc(sizeof(GF_TrunEntry) * ptr->sample_count);
 		if (!ptr->samples) return GF_OUT_OF_MEM;
 		ptr->sample_alloc = ptr->nb_samples = ptr->sample_count;
@@ -8786,7 +8798,7 @@ GF_Err ssix_box_read(GF_Box *s, GF_BitStream *bs)
 	ISOM_DECREASE_SIZE(ptr, 4)
 	ptr->subsegment_count = gf_bs_read_u32(bs);
 	//each subseg has at least one range_count (4 bytes), abort if not enough bytes (broken box)
-	if (ptr->size < ptr->subsegment_count*4)
+	if (ptr->size / 4 < ptr->subsegment_count || (u64)ptr->subsegment_count > (u64)SIZE_MAX/sizeof(GF_SubsegmentInfo))
 		return GF_ISOM_INVALID_FILE;
 
 	GF_SAFE_ALLOC_N(ptr->subsegments, ptr->subsegment_count, GF_SubsegmentInfo);
@@ -8797,7 +8809,7 @@ GF_Err ssix_box_read(GF_Box *s, GF_BitStream *bs)
 		ISOM_DECREASE_SIZE(ptr, 4)
 		subseg->range_count = gf_bs_read_u32(bs);
 		//each range is 4 bytes, abort if not enough bytes
-		if (ptr->size < subseg->range_count*4)
+		if (ptr->size / 4 < subseg->range_count || (u64)subseg->range_count > (u64)SIZE_MAX/sizeof(GF_SubsegmentRangeInfo))
 			return GF_ISOM_INVALID_FILE;
 		subseg->ranges = (GF_SubsegmentRangeInfo*) gf_malloc(sizeof(GF_SubsegmentRangeInfo) * subseg->range_count);
 		if (!subseg->ranges) return GF_OUT_OF_MEM;
@@ -8979,6 +8991,11 @@ GF_Err pcrb_box_read(GF_Box *s,GF_BitStream *bs)
 	ISOM_DECREASE_SIZE(ptr, 4);
 	ptr->subsegment_count = gf_bs_read_u32(bs);
 
+	if ((u64)ptr->subsegment_count > ptr->size / 8 || (u64)ptr->subsegment_count > (u64)SIZE_MAX/sizeof(u64)) {
+		GF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, ("[iso file] Invalid number of subsegment %d in pcrb\n", ptr->subsegment_count));
+		return GF_ISOM_INVALID_FILE;
+	}
+
 	ptr->pcr_values = gf_malloc(sizeof(u64)*ptr->subsegment_count);
 	if (!ptr->pcr_values) return GF_OUT_OF_MEM;
 	for (i=0; i<ptr->subsegment_count; i++) {
@@ -9303,7 +9320,7 @@ GF_Err sbgp_box_read(GF_Box *s, GF_BitStream *bs)
 	}
 	ptr->entry_count = gf_bs_read_u32(bs);
 
-	if (ptr->size < sizeof(GF_SampleGroupEntry)*ptr->entry_count)
+	if (ptr->size < sizeof(GF_SampleGroupEntry)*ptr->entry_count || (u64)ptr->entry_count > (u64)SIZE_MAX/sizeof(GF_SampleGroupEntry))
 	    return GF_ISOM_INVALID_FILE;
 
 	ptr->sample_entries = gf_malloc(sizeof(GF_SampleGroupEntry)*ptr->entry_count);
@@ -9860,7 +9877,7 @@ GF_Err saio_box_read(GF_Box *s, GF_BitStream *bs)
 
 	if (ptr->entry_count) {
 		u32 i;
-		if (ptr->size < (ptr->version == 0 ? 4 : 8) * ptr->entry_count)
+		if (ptr->size / (ptr->version == 0 ? 4 : 8) < ptr->entry_count || (u64)ptr->entry_count > (u64)SIZE_MAX/sizeof(u64))
 			return GF_ISOM_INVALID_FILE;
 		ptr->offsets = gf_malloc(sizeof(u64)*ptr->entry_count);
 		if (!ptr->offsets)
@@ -10368,7 +10385,7 @@ GF_Err fpar_box_read(GF_Box *s, GF_BitStream *bs)
 
 	ISOM_DECREASE_SIZE(ptr, (ptr->version ? 4 : 2) );
 	ptr->nb_entries = gf_bs_read_int(bs, ptr->version ? 32 : 16);
-	if (ptr->nb_entries > UINT_MAX / 6)
+	if (ptr->nb_entries > ptr->size / 6 || (u64)ptr->nb_entries > (u64)SIZE_MAX/sizeof(FilePartitionEntry))
 		return GF_ISOM_INVALID_FILE;
 
 	ISOM_DECREASE_SIZE(ptr, ptr->nb_entries * 6 );
@@ -10454,6 +10471,11 @@ GF_Err fecr_box_read(GF_Box *s, GF_BitStream *bs)
 	ISOM_DECREASE_SIZE(ptr, (ptr->version ? 4 : 2) );
 	ptr->nb_entries = gf_bs_read_int(bs, ptr->version ? 32 : 16);
 
+	if (ptr->nb_entries > ptr->size / (ptr->version ? 8 : 6) || (u64)ptr->nb_entries > (u64)SIZE_MAX/sizeof(FECReservoirEntry) ) {
+		GF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, ("[iso file] Invalid number of entries %d in fecr\n", ptr->nb_entries));
+		return GF_ISOM_INVALID_FILE;
+	}
+
 	ISOM_DECREASE_SIZE(ptr, ptr->nb_entries * (ptr->version ? 8 : 6) );
 	GF_SAFE_ALLOC_N(ptr->entries, ptr->nb_entries, FECReservoirEntry);
 	if (!ptr->entries) return GF_OUT_OF_MEM;