From: Sebastian Ramacher Date: Wed, 1 Sep 2021 19:57:41 +0000 (+0200) Subject: Apply patches for a bunch of CVEs X-Git-Tag: archive/raspbian/2.0.0+dfsg1-4+rpi1^2~58 X-Git-Url: https://dgit.raspbian.org/?a=commitdiff_plain;h=abc9e69717595f62e3c3cd530a05111b7d89a1b7;p=gpac.git Apply patches for a bunch of CVEs --- diff --git a/debian/patches/series b/debian/patches/series index 0f766af..39cc63a 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -16,3 +16,6 @@ CVE-2021-31257.patch CVE-2021-31258.patch CVE-2021-31260.patch CVE-2021-31262.patch +talos-2021-1297.patch +talos-2021-1298.patch +talos-2021-1299.patch diff --git a/debian/patches/talos-2021-1297.patch b/debian/patches/talos-2021-1297.patch new file mode 100644 index 0000000..e275d40 --- /dev/null +++ b/debian/patches/talos-2021-1297.patch @@ -0,0 +1,152 @@ +Backport of https://github.com/gpac/gpac/commit/b515fd04f5f00f4a99df741042f1efb31ad56351 +https://talosintelligence.com/vulnerability_reports/TALOS-2021-1297 + +--- gpac-1.0.1+dfsg1.orig/src/isomedia/box_code_base.c ++++ gpac-1.0.1+dfsg1/src/isomedia/box_code_base.c +@@ -46,7 +46,7 @@ GF_Err co64_box_read(GF_Box *s,GF_BitStr + + ISOM_DECREASE_SIZE(ptr, 4) + +- if (ptr->nb_entries > ptr->size / 8) { ++ if ((u64)ptr->nb_entries > ptr->size / 8 || (u64)ptr->nb_entries > (u64)SIZE_MAX/sizeof(u64)) { + GF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, ("[iso file] Invalid number of entries %d in co64\n", ptr->nb_entries)); + return GF_ISOM_INVALID_FILE; + } +@@ -392,7 +392,7 @@ GF_Err ctts_box_read(GF_Box *s, GF_BitSt + ISOM_DECREASE_SIZE(ptr, 4); + ptr->nb_entries = gf_bs_read_u32(bs); + +- if (ptr->nb_entries > ptr->size / 8) { ++ if (ptr->nb_entries > ptr->size / 8 || (u64)ptr->nb_entries > (u64)SIZE_MAX/sizeof(GF_DttsEntry) ) { + GF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, ("[iso file] Invalid number of entries %d in ctts\n", ptr->nb_entries)); + return GF_ISOM_INVALID_FILE; + } +@@ -3194,6 +3194,10 @@ GF_Err tfra_box_read(GF_Box *s, GF_BitSt + } + + if (ptr->nb_entries) { ++ if ((u64)ptr->nb_entries > (u64)SIZE_MAX/sizeof(GF_RandomAccessEntry)) { ++ GF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, ("[iso file] Invalid number of entries %d in traf\n", ptr->nb_entries)); ++ return GF_ISOM_INVALID_FILE; ++ } + p = (GF_RandomAccessEntry *) gf_malloc(sizeof(GF_RandomAccessEntry) * ptr->nb_entries); + if (!p) return GF_OUT_OF_MEM; + } +@@ -5104,7 +5108,7 @@ GF_Err stco_box_read(GF_Box *s, GF_BitSt + + ISOM_DECREASE_SIZE(ptr, 4); + ptr->nb_entries = gf_bs_read_u32(bs); +- if (ptr->nb_entries > ptr->size / 4) { ++ if (ptr->nb_entries > ptr->size / 4 || (u64)ptr->nb_entries > (u64)SIZE_MAX/sizeof(u32)) { + GF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, ("[iso file] Invalid number of entries %d in stco\n", ptr->nb_entries)); + return GF_ISOM_INVALID_FILE; + } +@@ -5236,7 +5240,7 @@ GF_Err stsc_box_read(GF_Box *s, GF_BitSt + ISOM_DECREASE_SIZE(ptr, 4); + ptr->nb_entries = gf_bs_read_u32(bs); + +- if (ptr->nb_entries > ptr->size / 12) { ++ if (ptr->nb_entries > ptr->size / 12 || (u64)ptr->nb_entries > (u64)SIZE_MAX/sizeof(GF_StscEntry)) { + GF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, ("[iso file] Invalid number of entries %d in stsc\n", ptr->nb_entries)); + return GF_ISOM_INVALID_FILE; + } +@@ -5575,6 +5579,10 @@ GF_Err stsz_box_read(GF_Box *s, GF_BitSt + } + } + } ++ if (ptr->sampleCount && (u64)ptr->sampleCount > (u64)SIZE_MAX/sizeof(u32)) { ++ GF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, ("[iso file] Invalid number of entries %d in stsz\n", ptr->sampleCount)); ++ return GF_ISOM_INVALID_FILE; ++ } + if (s->type == GF_ISOM_BOX_TYPE_STSZ) { + if (! ptr->sampleSize && ptr->sampleCount) { + if (ptr->sampleCount > ptr->size / 4) { +@@ -5779,7 +5787,7 @@ GF_Err stts_box_read(GF_Box *s, GF_BitSt + + ISOM_DECREASE_SIZE(ptr, 4); + ptr->nb_entries = gf_bs_read_u32(bs); +- if (ptr->size < ptr->nb_entries * 8) { ++ if (ptr->size / 8 < ptr->nb_entries || (u64)ptr->nb_entries > (u64)SIZE_MAX/sizeof(GF_SttsEntry)) { + GF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, ("[iso file] Invalid number of entries %d in stts\n", ptr->nb_entries)); + return GF_ISOM_INVALID_FILE; + } +@@ -7276,6 +7284,10 @@ GF_Err trun_box_read(GF_Box *s, GF_BitSt + if (ptr->sample_count * 4 > ptr->size) { + ISOM_DECREASE_SIZE(ptr, ptr->sample_count*4); + } ++ if ((u64)ptr->sample_count > (u64)SIZE_MAX/sizeof(GF_TrunEntry)) { ++ GF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, ("[iso file] Invalid number of samples %d in trun\n", ptr->sample_count)); ++ return GF_ISOM_INVALID_FILE; ++ } + ptr->samples = gf_malloc(sizeof(GF_TrunEntry) * ptr->sample_count); + if (!ptr->samples) return GF_OUT_OF_MEM; + ptr->sample_alloc = ptr->nb_samples = ptr->sample_count; +@@ -8786,7 +8798,7 @@ GF_Err ssix_box_read(GF_Box *s, GF_BitSt + ISOM_DECREASE_SIZE(ptr, 4) + ptr->subsegment_count = gf_bs_read_u32(bs); + //each subseg has at least one range_count (4 bytes), abort if not enough bytes (broken box) +- if (ptr->size < ptr->subsegment_count*4) ++ if (ptr->size / 4 < ptr->subsegment_count || (u64)ptr->subsegment_count > (u64)SIZE_MAX/sizeof(GF_SubsegmentInfo)) + return GF_ISOM_INVALID_FILE; + + GF_SAFE_ALLOC_N(ptr->subsegments, ptr->subsegment_count, GF_SubsegmentInfo); +@@ -8797,7 +8809,7 @@ GF_Err ssix_box_read(GF_Box *s, GF_BitSt + ISOM_DECREASE_SIZE(ptr, 4) + subseg->range_count = gf_bs_read_u32(bs); + //each range is 4 bytes, abort if not enough bytes +- if (ptr->size < subseg->range_count*4) ++ if (ptr->size / 4 < subseg->range_count || (u64)subseg->range_count > (u64)SIZE_MAX/sizeof(GF_SubsegmentRangeInfo)) + return GF_ISOM_INVALID_FILE; + subseg->ranges = (GF_SubsegmentRangeInfo*) gf_malloc(sizeof(GF_SubsegmentRangeInfo) * subseg->range_count); + if (!subseg->ranges) return GF_OUT_OF_MEM; +@@ -8979,6 +8991,11 @@ GF_Err pcrb_box_read(GF_Box *s,GF_BitStr + ISOM_DECREASE_SIZE(ptr, 4); + ptr->subsegment_count = gf_bs_read_u32(bs); + ++ if ((u64)ptr->subsegment_count > ptr->size / 8 || (u64)ptr->subsegment_count > (u64)SIZE_MAX/sizeof(u64)) { ++ GF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, ("[iso file] Invalid number of subsegment %d in pcrb\n", ptr->subsegment_count)); ++ return GF_ISOM_INVALID_FILE; ++ } ++ + ptr->pcr_values = gf_malloc(sizeof(u64)*ptr->subsegment_count); + if (!ptr->pcr_values) return GF_OUT_OF_MEM; + for (i=0; isubsegment_count; i++) { +@@ -9303,7 +9320,7 @@ GF_Err sbgp_box_read(GF_Box *s, GF_BitSt + } + ptr->entry_count = gf_bs_read_u32(bs); + +- if (ptr->size < sizeof(GF_SampleGroupEntry)*ptr->entry_count) ++ if (ptr->size < sizeof(GF_SampleGroupEntry)*ptr->entry_count || (u64)ptr->entry_count > (u64)SIZE_MAX/sizeof(GF_SampleGroupEntry)) + return GF_ISOM_INVALID_FILE; + + ptr->sample_entries = gf_malloc(sizeof(GF_SampleGroupEntry)*ptr->entry_count); +@@ -9860,7 +9877,7 @@ GF_Err saio_box_read(GF_Box *s, GF_BitSt + + if (ptr->entry_count) { + u32 i; +- if (ptr->size < (ptr->version == 0 ? 4 : 8) * ptr->entry_count) ++ if (ptr->size / (ptr->version == 0 ? 4 : 8) < ptr->entry_count || (u64)ptr->entry_count > (u64)SIZE_MAX/sizeof(u64)) + return GF_ISOM_INVALID_FILE; + ptr->offsets = gf_malloc(sizeof(u64)*ptr->entry_count); + if (!ptr->offsets) +@@ -10368,7 +10385,7 @@ GF_Err fpar_box_read(GF_Box *s, GF_BitSt + + ISOM_DECREASE_SIZE(ptr, (ptr->version ? 4 : 2) ); + ptr->nb_entries = gf_bs_read_int(bs, ptr->version ? 32 : 16); +- if (ptr->nb_entries > UINT_MAX / 6) ++ if (ptr->nb_entries > ptr->size / 6 || (u64)ptr->nb_entries > (u64)SIZE_MAX/sizeof(FilePartitionEntry)) + return GF_ISOM_INVALID_FILE; + + ISOM_DECREASE_SIZE(ptr, ptr->nb_entries * 6 ); +@@ -10454,6 +10471,11 @@ GF_Err fecr_box_read(GF_Box *s, GF_BitSt + ISOM_DECREASE_SIZE(ptr, (ptr->version ? 4 : 2) ); + ptr->nb_entries = gf_bs_read_int(bs, ptr->version ? 32 : 16); + ++ if (ptr->nb_entries > ptr->size / (ptr->version ? 8 : 6) || (u64)ptr->nb_entries > (u64)SIZE_MAX/sizeof(FECReservoirEntry) ) { ++ GF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, ("[iso file] Invalid number of entries %d in fecr\n", ptr->nb_entries)); ++ return GF_ISOM_INVALID_FILE; ++ } ++ + ISOM_DECREASE_SIZE(ptr, ptr->nb_entries * (ptr->version ? 8 : 6) ); + GF_SAFE_ALLOC_N(ptr->entries, ptr->nb_entries, FECReservoirEntry); + if (!ptr->entries) return GF_OUT_OF_MEM; diff --git a/debian/patches/talos-2021-1298.patch b/debian/patches/talos-2021-1298.patch new file mode 100644 index 0000000..573b6c5 --- /dev/null +++ b/debian/patches/talos-2021-1298.patch @@ -0,0 +1,57 @@ +Backport of https://github.com/gpac/gpac/commit/8cd33e8977fd5f4215e4b67c309fd403762bfeb7 + +https://talosintelligence.com/vulnerability_reports/TALOS-2021-1298 + +--- gpac-1.0.1+dfsg1.orig/src/isomedia/box_code_base.c ++++ gpac-1.0.1+dfsg1/src/isomedia/box_code_base.c +@@ -1653,17 +1653,23 @@ GF_Err hdlr_box_read(GF_Box *s, GF_BitSt + gf_bs_set_cookie(bs, cookie); + + if (ptr->size) { +- ptr->nameUTF8 = (char*)gf_malloc((u32) ptr->size); ++ u32 name_size = (u32) ptr->size; ++ if (name_size < 1) { ++ GF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, ("[iso file] Invalid size %llu in hdlr\n", ptr->size)); ++ return GF_ISOM_INVALID_FILE; ++ } ++ ptr->nameUTF8 = (char*)gf_malloc(name_size); + if (!ptr->nameUTF8) return GF_OUT_OF_MEM; +- gf_bs_read_data(bs, ptr->nameUTF8, (u32) ptr->size); ++ gf_bs_read_data(bs, ptr->nameUTF8, name_size); + + //patch for old QT files - we cannot rely on checking if str[0]==len(str+1) since we may have + //cases where the first character of the string decimal value is indeed the same as the string length!! + //we had this issue with encryption_import test + //we therefore only check if last char is null, and if not so assume old QT style +- if (ptr->nameUTF8[ptr->size-1]) { +- memmove(ptr->nameUTF8, ptr->nameUTF8+1, sizeof(char) * (u32) (ptr->size-1) ); +- ptr->nameUTF8[ptr->size-1] = 0; ++ if (ptr->nameUTF8[name_size-1]) { ++ if (name_size > 1) ++ memmove(ptr->nameUTF8, ptr->nameUTF8+1, sizeof(char) * (u32) (name_size-1) ); ++ ptr->nameUTF8[name_size-1] = 0; + ptr->store_counted_string = GF_TRUE; + } + } +@@ -6687,6 +6693,10 @@ GF_Err stri_box_read(GF_Box *s, GF_BitSt + ptr->alternate_group = gf_bs_read_u16(bs); + ptr->sub_track_id = gf_bs_read_u32(bs); + ptr->attribute_count = ptr->size / 4; ++ if ((u64)ptr->attribute_count > (u64)SIZE_MAX/sizeof(u32)) { ++ GF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, ("[iso file] Invalid size %llu in stri\n", ptr->size)); ++ return GF_ISOM_INVALID_FILE; ++ } + GF_SAFE_ALLOC_N(ptr->attribute_list, (size_t)ptr->attribute_count, u32); + if (!ptr->attribute_list) return GF_OUT_OF_MEM; + for (i = 0; i < ptr->attribute_count; i++) { +@@ -10972,6 +10982,10 @@ GF_Err trik_box_read(GF_Box *s,GF_BitStr + u32 i; + GF_TrickPlayBox *ptr = (GF_TrickPlayBox *) s; + ptr->entry_count = (u32) ptr->size; ++ if ((u64)ptr->entry_count > (u64)SIZE_MAX/sizeof(GF_TrickPlayBoxEntry)) { ++ GF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, ("[iso file] Invalid size %llu in trik\n", ptr->size)); ++ return GF_ISOM_INVALID_FILE; ++ } + ptr->entries = (GF_TrickPlayBoxEntry *) gf_malloc(ptr->entry_count * sizeof(GF_TrickPlayBoxEntry) ); + if (!ptr->entries) return GF_OUT_OF_MEM; + diff --git a/debian/patches/talos-2021-1299.patch b/debian/patches/talos-2021-1299.patch new file mode 100644 index 0000000..51f5378 --- /dev/null +++ b/debian/patches/talos-2021-1299.patch @@ -0,0 +1,75 @@ +Backport of https://github.com/gpac/gpac/commit/bbd741e0e5a6e7e1e90a73c350acc061dde9450b + +NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2021-1299 + +--- gpac-1.0.1+dfsg1.orig/src/isomedia/box_code_base.c ++++ gpac-1.0.1+dfsg1/src/isomedia/box_code_base.c +@@ -577,10 +577,15 @@ GF_Err url_box_read(GF_Box *s, GF_BitStr + GF_DataEntryURLBox *ptr = (GF_DataEntryURLBox *)s; + + if (ptr->size) { +- ptr->location = (char*)gf_malloc((u32) ptr->size); ++ u32 location_size = (u32) ptr->size; ++ if (location_size < 1) { ++ GF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, ("[iso file] Invalid size %llu in svhd box\n", ptr->size)); ++ return GF_ISOM_INVALID_FILE; ++ } ++ ptr->location = (char*)gf_malloc(location_size); + if (! ptr->location) return GF_OUT_OF_MEM; +- gf_bs_read_data(bs, ptr->location, (u32)ptr->size); +- if (ptr->location[ptr->size-1]) { ++ gf_bs_read_data(bs, ptr->location, location_size); ++ if (ptr->location[location_size-1]) { + GF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, ("[iso file] url box location is not 0-terminated\n" )); + return GF_ISOM_INVALID_FILE; + } +@@ -1894,6 +1899,12 @@ GF_Err sdp_box_read(GF_Box *s, GF_BitStr + if (ptr == NULL) return GF_BAD_PARAM; + + length = (u32) (ptr->size); ++ ++ if (length >= (u32)0xFFFFFFFF) { ++ GF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, ("[iso file] Invalid length %lu in sdp box\n", length)); ++ return GF_ISOM_INVALID_FILE; ++ } ++ + //sdp text has no delimiter !!! + ptr->sdpText = (char*)gf_malloc(sizeof(char) * (length+1)); + if (!ptr->sdpText) return GF_OUT_OF_MEM; +@@ -1951,6 +1962,12 @@ GF_Err rtp_hnti_box_read(GF_Box *s, GF_B + ptr->subType = gf_bs_read_u32(bs); + + length = (u32) (ptr->size); ++ ++ if (length >= (u32)0xFFFFFFFF) { ++ GF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, ("[iso file] Invalid length %lu in rtp_hnti box\n", length)); ++ return GF_ISOM_INVALID_FILE; ++ } ++ + //sdp text has no delimiter !!! + ptr->sdpText = (char*)gf_malloc(sizeof(char) * (length+1)); + if (!ptr->sdpText) return GF_OUT_OF_MEM; +@@ -2614,6 +2631,12 @@ GF_Err name_box_read(GF_Box *s, GF_BitSt + GF_NameBox *ptr = (GF_NameBox *)s; + + length = (u32) (ptr->size); ++ ++ if (length >= (u32)0xFFFFFFFF) { ++ GF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, ("[iso file] Invalid length %lu in name box\n", length)); ++ return GF_ISOM_INVALID_FILE; ++ } ++ + ptr->string = (char*)gf_malloc(sizeof(char) * (length+1)); + if (! ptr->string) return GF_OUT_OF_MEM; + +@@ -8437,6 +8460,10 @@ void txtc_box_del(GF_Box *s) + GF_Err txtc_box_read(GF_Box *s, GF_BitStream *bs) + { + GF_TextConfigBox *ptr = (GF_TextConfigBox*)s; ++ if ((u32)ptr->size >= (u32)0xFFFFFFFF) { ++ GF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, ("[iso file] Invalid size %llu in txtc box\n", ptr->size)); ++ return GF_ISOM_INVALID_FILE; ++ } + ptr->config = (char *)gf_malloc(sizeof(char)*((u32) ptr->size+1)); + if (!ptr->config) return GF_OUT_OF_MEM; + gf_bs_read_data(bs, ptr->config, (u32) ptr->size);