From: Reinhard Tartler <siretart@tauware.de>
Date: Sat, 4 Mar 2023 17:45:26 +0000 (-0500)
Subject: Fix use after free, CVE-2022-1795
X-Git-Tag: archive/raspbian/2.0.0+dfsg1-4+rpi1^2~34
X-Git-Url: https://dgit.raspbian.org/?a=commitdiff_plain;h=49554138310905752b3590d563c957b6335cdea2;p=gpac.git

Fix use after free, CVE-2022-1795
---

diff --git a/debian/patches/CVE-2022-1795.patch b/debian/patches/CVE-2022-1795.patch
new file mode 100644
index 0000000..2f352ff
--- /dev/null
+++ b/debian/patches/CVE-2022-1795.patch
@@ -0,0 +1,34 @@
+commit c535bad50d5812d27ee5b22b54371bddec411514
+Author: jeanlf <jeanlf@gpac.io>
+Date:   Wed May 18 11:49:49 2022 +0200
+
+    fixed #2194
+
+diff --git a/src/bifs/memory_decoder.c b/src/bifs/memory_decoder.c
+index 74d635750..1fc8c9963 100644
+--- a/src/bifs/memory_decoder.c
++++ b/src/bifs/memory_decoder.c
+@@ -178,7 +178,12 @@ static GF_Err BM_ParseGlobalQuantizer(GF_BifsDecoder *codec, GF_BitStream *bs, G
+ 	codec->scenegraph->global_qp = NULL;
+ 
+ 	if (gf_node_get_tag(node) != TAG_MPEG4_QuantizationParameter) {
+-		gf_node_unregister(node, NULL);
++		//if node was just created (num_instances == 0), unregister
++		//otherwise (USE node) don't do anything
++		if (!node->sgprivate->num_instances) {
++			node->sgprivate->num_instances = 1;
++			gf_node_unregister(node, NULL);
++		}
+ 		return GF_NON_COMPLIANT_BITSTREAM;
+ 	}
+ 
+@@ -188,7 +193,8 @@ static GF_Err BM_ParseGlobalQuantizer(GF_BifsDecoder *codec, GF_BitStream *bs, G
+ 	codec->scenegraph->global_qp = node;
+ 
+ 	/*register TWICE: once for the command, and for the scenegraph globalQP*/
+-	node->sgprivate->num_instances = 2;
++	gf_node_unregister(node, NULL);
++	gf_node_unregister(node, NULL);
+ 
+ 	com = gf_sg_command_new(codec->current_graph, GF_SG_GLOBAL_QUANTIZER);
+ 	inf = gf_sg_command_field_new(com);
diff --git a/debian/patches/series b/debian/patches/series
index bc5ddc8..86c5f82 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -6,4 +6,5 @@ CVE-2022-30976.patch
 CVE-2022-1035.patch
 CVE-2022-1172.patch
 CVE-2022-1222.patch
-CVE-2022-1441.patch
\ No newline at end of file
+CVE-2022-1441.patch
+CVE-2022-1795.patch