From: Reinhard Tartler <siretart@tauware.de>
Date: Fri, 15 Feb 2019 11:32:46 +0000 (-0500)
Subject: Add CVE-2018-20762.patch
X-Git-Tag: archive/raspbian/1.0.1+dfsg1-4+rpi1~1^2~47
X-Git-Url: https://dgit.raspbian.org/?a=commitdiff_plain;h=2409e4ab39ec202a5020caaa2d5e5d3f4e0ad1ed;p=gpac.git

Add CVE-2018-20762.patch
---

diff --git a/debian/patches/CVE-2018-20762.patch b/debian/patches/CVE-2018-20762.patch
new file mode 100644
index 0000000..c2c9ab1
--- /dev/null
+++ b/debian/patches/CVE-2018-20762.patch
@@ -0,0 +1,178 @@
+commit 35ab4475a7df9b2a4bcab235e379c0c3ec543658
+Author: Aurelien David <aurelien.david@telecom-paristech.fr>
+Date:   Fri Jan 11 11:32:54 2019 +0100
+Description: CVE-2018-20762
+
+    fix some overflows due to strcpy
+    
+    fixes #1184, #1186, #1187 among other things
+
+--- a/applications/mp4box/fileimport.c
++++ b/applications/mp4box/fileimport.c
+@@ -2247,17 +2247,33 @@ GF_Err cat_multiple_files(GF_ISOFile *de
+ 	cat_enum.align_timelines = align_timelines;
+ 	cat_enum.allow_add_in_command = allow_add_in_command;
+ 
++	if (strlen(fileName) >= sizeof(cat_enum.szPath)) {
++		GF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, ("File name %s is too long.\n", fileName));
++		return GF_NOT_SUPPORTED;
++	}
+ 	strcpy(cat_enum.szPath, fileName);
+ 	sep = strrchr(cat_enum.szPath, GF_PATH_SEPARATOR);
+ 	if (!sep) sep = strrchr(cat_enum.szPath, '/');
+ 	if (!sep) {
+ 		strcpy(cat_enum.szPath, ".");
++		if (strlen(fileName) >= sizeof(cat_enum.szRad1)) {
++			GF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, ("File name %s is too long.\n", fileName));
++			return GF_NOT_SUPPORTED;
++		}
+ 		strcpy(cat_enum.szRad1, fileName);
+ 	} else {
++		if (strlen(sep + 1) >= sizeof(cat_enum.szRad1)) {
++			GF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, ("File name %s is too long.\n", (sep + 1)));
++			return GF_NOT_SUPPORTED;
++		}
+ 		strcpy(cat_enum.szRad1, sep+1);
+ 		sep[0] = 0;
+ 	}
+ 	sep = strchr(cat_enum.szRad1, '*');
++	if (strlen(sep + 1) >= sizeof(cat_enum.szRad2)) {
++		GF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, ("File name %s is too long.\n", (sep + 1)));
++		return GF_NOT_SUPPORTED;
++	}
+ 	strcpy(cat_enum.szRad2, sep+1);
+ 	sep[0] = 0;
+ 	sep = strchr(cat_enum.szRad2, '%');
+@@ -2265,6 +2281,10 @@ GF_Err cat_multiple_files(GF_ISOFile *de
+ 	if (!sep) sep = strchr(cat_enum.szRad2, ':');
+ 	strcpy(cat_enum.szOpt, "");
+ 	if (sep) {
++		if (strlen(sep) >= sizeof(cat_enum.szOpt)) {
++			GF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, ("Invalid option: %s.\n", sep));
++			return GF_NOT_SUPPORTED;
++		}
+ 		strcpy(cat_enum.szOpt, sep);
+ 		sep[0] = 0;
+ 	}
+--- a/applications/mp4client/main.c
++++ b/applications/mp4client/main.c
+@@ -900,7 +900,8 @@ Bool GPAC_EventProc(void *ptr, GF_Event
+ 		break;
+ 	case GF_EVENT_NAVIGATE:
+ 		if (gf_term_is_supported_url(term, evt->navigate.to_url, 1, no_mime_check)) {
+-			strcpy(the_url, evt->navigate.to_url);
++			strncpy(the_url, evt->navigate.to_url, sizeof(the_url)-1);
++			the_url[sizeof(the_url) - 1] = 0;
+ 			fprintf(stderr, "Navigating to URL %s\n", the_url);
+ 			gf_term_navigate_to(term, evt->navigate.to_url);
+ 			return 1;
+@@ -1089,6 +1090,11 @@ void set_cfg_option(char *opt_string)
+ 	}
+ 	{
+ 		const size_t sepIdx = sep - opt_string;
++		if (sepIdx >= sizeof(szSec)) {
++			fprintf(stderr, "Badly formatted option %s - Section name is too long\n", opt_string);
++			return;
++		}
++
+ 		strncpy(szSec, opt_string, sepIdx);
+ 		szSec[sepIdx] = 0;
+ 	}
+@@ -1100,8 +1106,16 @@ void set_cfg_option(char *opt_string)
+ 	}
+ 	{
+ 		const size_t sepIdx = sep2 - sep;
++		if (sepIdx >= sizeof(szKey)) {
++			fprintf(stderr, "Badly formatted option %s - key name is too long\n", opt_string);
++			return;
++		}
+ 		strncpy(szKey, sep, sepIdx);
+ 		szKey[sepIdx] = 0;
++		if (strlen(sep2 + 1) >= sizeof(szVal)) {
++			fprintf(stderr, "Badly formatted option %s - value is too long\n", opt_string);
++			return;
++		}
+ 		strcpy(szVal, sep2+1);
+ 	}
+ 
+@@ -1656,7 +1670,14 @@ int mp4client_main(int argc, char **argv
+ 	else if (!gui_mode && url_arg) {
+ 		char *ext;
+ 
+-		strcpy(the_url, url_arg);
++		if (strlen(url_arg) >= sizeof(the_url)) {
++			fprintf(stderr, "Input url %s is too long, truncating to %d chars.\n", url_arg, (int)(sizeof(the_url) - 1));
++			strncpy(the_url, url_arg, sizeof(the_url)-1);
++			the_url[sizeof(the_url) - 1] = 0;
++		}
++		else {
++			strcpy(the_url, url_arg);
++		}
+ 		ext = strrchr(the_url, '.');
+ 		if (ext && (!stricmp(ext, ".m3u") || !stricmp(ext, ".pls"))) {
+ 			GF_Err e = GF_OK;
+@@ -1668,7 +1689,10 @@ int mp4client_main(int argc, char **argv
+ 				GF_DownloadSession *sess = gf_dm_sess_new(term->downloader, the_url, GF_NETIO_SESSION_NOT_THREADED, NULL, NULL, &e);
+ 				if (sess) {
+ 					e = gf_dm_sess_process(sess);
+-					if (!e) strcpy(the_url, gf_dm_sess_get_cache_name(sess));
++					if (!e) {
++						strncpy(the_url, gf_dm_sess_get_cache_name(sess), sizeof(the_url) - 1);
++						the_url[sizeof(the_cfg) - 1] = 0;
++					}
+ 					gf_dm_sess_del(sess);
+ 				}
+ 			}
+@@ -1691,7 +1715,8 @@ int mp4client_main(int argc, char **argv
+ 		fprintf(stderr, "Hit 'h' for help\n\n");
+ 		str = gf_cfg_get_key(cfg_file, "General", "StartupFile");
+ 		if (str) {
+-			strcpy(the_url, "MP4Client "GPAC_FULL_VERSION);
++			strncpy(the_url, "MP4Client "GPAC_FULL_VERSION , sizeof(the_url)-1);
++			the_url[sizeof(the_url) - 1] = 0;
+ 			gf_term_connect(term, str);
+ 			startup_file = 1;
+ 			is_connected = 1;
+--- a/modules/ffmpeg_in/ffmpeg_demux.c
++++ b/modules/ffmpeg_in/ffmpeg_demux.c
+@@ -227,7 +227,7 @@ static Bool FFD_CanHandleURL(GF_InputSer
+ 	AVFormatContext *ctx;
+ 	AVOutputFormat *fmt_out;
+ 	Bool ret = GF_FALSE;
+-	char *ext, szName[1000], szExt[20];
++	char *ext, szName[1024], szExt[20];
+ 	const char *szExtList;
+ 	FFDemux *ffd;
+ 	if (!plug || !url)
+@@ -243,6 +243,9 @@ static Bool FFD_CanHandleURL(GF_InputSer
+ 
+ 	ffd = (FFDemux*)plug->priv;
+ 
++	if (strlen(url) >= sizeof(szName))
++		return GF_FALSE;
++
+ 	strcpy(szName, url);
+ 	ext = strrchr(szName, '#');
+ 	if (ext) ext[0] = 0;
+@@ -252,7 +255,7 @@ static Bool FFD_CanHandleURL(GF_InputSer
+ 	ext = strrchr(szName, '.');
+ 	if (ext && strlen(ext) > 19) ext = NULL;
+ 
+-	if (ext && strlen(ext) > 1) {
++	if (ext && strlen(ext) > 1 && strlen(ext) <= sizeof(szExt)) {
+ 		strcpy(szExt, &ext[1]);
+ 		strlwr(szExt);
+ #ifndef FFMPEG_DEMUX_ENABLE_MPEG2TS
+--- a/src/scene_manager/scene_manager.c
++++ b/src/scene_manager/scene_manager.c
+@@ -646,6 +646,10 @@ GF_Err gf_sm_load_init(GF_SceneLoader *l
+ 				ext[0] = '.';
+ 				ext = anext;
+ 			}
++			if (strlen(ext) < 2 || strlen(ext) > sizeof(szExt)) {
++				GF_LOG(GF_LOG_ERROR, GF_LOG_SCENE, ("[Scene Manager] invalid extension in file name %s\n", load->fileName));
++				return GF_NOT_SUPPORTED;
++			}
+ 			strcpy(szExt, &ext[1]);
+ 			strlwr(szExt);
+ 			if (strstr(szExt, "bt")) load->type = GF_SM_LOAD_BT;
diff --git a/debian/patches/CVE-2018-7752.patch b/debian/patches/CVE-2018-7752.patch
index 846dadb..bcfe8ab 100644
--- a/debian/patches/CVE-2018-7752.patch
+++ b/debian/patches/CVE-2018-7752.patch
@@ -5,11 +5,9 @@ Upstream: commit 90dc7f853d31b0a4e9441cba97feccf36d8b69a4
 
 fix some exploitable overflows (#994, #997)
 
-diff --git a/include/gpac/tools.h b/include/gpac/tools.h
-index dbc3cebf3..15483d7d6 100644
 --- a/include/gpac/tools.h
 +++ b/include/gpac/tools.h
-@@ -1067,6 +1067,7 @@ void gf_fm_request_call(u32 type, u32 param, int *value);
+@@ -1067,6 +1067,7 @@ void gf_fm_request_call(u32 type, u32 pa
  
  /* \endcond */
  
@@ -17,11 +15,9 @@ index dbc3cebf3..15483d7d6 100644
  
  #ifdef __cplusplus
  }
-diff --git a/src/isomedia/avc_ext.c b/src/isomedia/avc_ext.c
-index c1096f872..c59f2ce97 100644
 --- a/src/isomedia/avc_ext.c
 +++ b/src/isomedia/avc_ext.c
-@@ -2413,6 +2413,8 @@ GF_Err gf_isom_oinf_read_entry(void *entry, GF_BitStream *bs)
+@@ -2361,6 +2361,8 @@ GF_Err gf_isom_oinf_read_entry(void *ent
  		op->output_layer_set_idx = gf_bs_read_u16(bs);
  		op->max_temporal_id = gf_bs_read_u8(bs);
  		op->layer_count = gf_bs_read_u8(bs);
@@ -30,11 +26,9 @@ index c1096f872..c59f2ce97 100644
  		for (j = 0; j < op->layer_count; j++) {
  			op->layers_info[j].ptl_idx = gf_bs_read_u8(bs);
  			op->layers_info[j].layer_id = gf_bs_read_int(bs, 6);
-diff --git a/src/media_tools/av_parsers.c b/src/media_tools/av_parsers.c
-index b9b5acdbb..27a6807d9 100644
 --- a/src/media_tools/av_parsers.c
 +++ b/src/media_tools/av_parsers.c
-@@ -2385,6 +2385,10 @@ s32 gf_media_avc_read_sps(const char *sps_data, u32 sps_size, AVCState *avc, u32
+@@ -2386,6 +2386,10 @@ s32 gf_media_avc_read_sps(const char *sp
  		sps->offset_for_non_ref_pic = bs_get_se(bs);
  		sps->offset_for_top_to_bottom_field = bs_get_se(bs);
  		sps->poc_cycle_length = bs_get_ue(bs);
diff --git a/debian/patches/series b/debian/patches/series
index 82ab5cf..5dadc4b 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -7,4 +7,5 @@ dont-err-build-on-uknown-system.patch
 ffmpeg_4.patch
 fix_makefile_install.patch
 CVE-2018-7752.patch
+CVE-2018-20762.patch
 CVE-2018-20763.patch