From: Debian Multimedia Maintainers <debian-multimedia@lists.debian.org>
Date: Wed, 1 Sep 2021 19:50:08 +0000 (+0100)
Subject: talos-2021-1298
X-Git-Tag: archive/raspbian/1.0.1+dfsg1-5+rpi1^2~2
X-Git-Url: https://dgit.raspbian.org/?a=commitdiff_plain;h=789eac33dd28b19a96d6dbe93c7ef44458e479c3;p=gpac.git

talos-2021-1298

Backport of https://github.com/gpac/gpac/commit/8cd33e8977fd5f4215e4b67c309fd403762bfeb7

Backport of https://github.com/gpac/gpac/commit/8cd33e8977fd5f4215e4b67c309fd403762bfeb7

https://talosintelligence.com/vulnerability_reports/TALOS-2021-1298


Gbp-Pq: Name talos-2021-1298.patch
---

diff --git a/src/isomedia/box_code_base.c b/src/isomedia/box_code_base.c
index ff8858a..1f30b52 100644
--- a/src/isomedia/box_code_base.c
+++ b/src/isomedia/box_code_base.c
@@ -1653,17 +1653,23 @@ GF_Err hdlr_box_read(GF_Box *s, GF_BitStream *bs)
 	gf_bs_set_cookie(bs, cookie);
 
 	if (ptr->size) {
-		ptr->nameUTF8 = (char*)gf_malloc((u32) ptr->size);
+		u32 name_size = (u32) ptr->size;
+		if (name_size < 1) {
+			GF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, ("[iso file] Invalid size %llu in hdlr\n", ptr->size));
+			return GF_ISOM_INVALID_FILE;
+		}
+		ptr->nameUTF8 = (char*)gf_malloc(name_size);
 		if (!ptr->nameUTF8) return GF_OUT_OF_MEM;
-		gf_bs_read_data(bs, ptr->nameUTF8, (u32) ptr->size);
+		gf_bs_read_data(bs, ptr->nameUTF8, name_size);
 
 		//patch for old QT files - we cannot rely on checking if str[0]==len(str+1) since we may have
 		//cases where the first character of the string decimal value is indeed the same as the string length!!
 		//we had this issue with encryption_import test
 		//we therefore only check if last char is null, and if not so assume old QT style
-		if (ptr->nameUTF8[ptr->size-1]) {
-			memmove(ptr->nameUTF8, ptr->nameUTF8+1, sizeof(char) * (u32) (ptr->size-1) );
-			ptr->nameUTF8[ptr->size-1] = 0;
+		if (ptr->nameUTF8[name_size-1]) {
+			if (name_size > 1)
+				memmove(ptr->nameUTF8, ptr->nameUTF8+1, sizeof(char) * (u32) (name_size-1) );
+			ptr->nameUTF8[name_size-1] = 0;
 			ptr->store_counted_string = GF_TRUE;
 		}
 	}
@@ -6687,6 +6693,10 @@ GF_Err stri_box_read(GF_Box *s, GF_BitStream *bs)
 	ptr->alternate_group = gf_bs_read_u16(bs);
 	ptr->sub_track_id = gf_bs_read_u32(bs);
 	ptr->attribute_count = ptr->size / 4;
+	if ((u64)ptr->attribute_count > (u64)SIZE_MAX/sizeof(u32)) {
+		GF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, ("[iso file] Invalid size %llu in stri\n", ptr->size));
+		return GF_ISOM_INVALID_FILE;
+	}
 	GF_SAFE_ALLOC_N(ptr->attribute_list, (size_t)ptr->attribute_count, u32);
 	if (!ptr->attribute_list) return GF_OUT_OF_MEM;
 	for (i = 0; i < ptr->attribute_count; i++) {
@@ -10972,6 +10982,10 @@ GF_Err trik_box_read(GF_Box *s,GF_BitStream *bs)
 	u32 i;
 	GF_TrickPlayBox *ptr = (GF_TrickPlayBox *) s;
 	ptr->entry_count = (u32) ptr->size;
+	if ((u64)ptr->entry_count > (u64)SIZE_MAX/sizeof(GF_TrickPlayBoxEntry)) {
+		GF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, ("[iso file] Invalid size %llu in trik\n", ptr->size));
+		return GF_ISOM_INVALID_FILE;
+	}
 	ptr->entries = (GF_TrickPlayBoxEntry *) gf_malloc(ptr->entry_count * sizeof(GF_TrickPlayBoxEntry) );
 	if (!ptr->entries) return GF_OUT_OF_MEM;