From: Reinhard Tartler <siretart@tauware.de>
Date: Thu, 14 Feb 2019 23:29:57 +0000 (-0500)
Subject: Add patch for CVE-2018-20763
X-Git-Tag: archive/raspbian/1.0.1+dfsg1-4+rpi1~1^2~48
X-Git-Url: https://dgit.raspbian.org/?a=commitdiff_plain;h=b762a359e211f6cfb602beb8653a62520c1955b4;p=gpac.git

Add patch for CVE-2018-20763
---

diff --git a/debian/patches/CVE-2018-20763.patch b/debian/patches/CVE-2018-20763.patch
new file mode 100644
index 0000000..fcb1d42
--- /dev/null
+++ b/debian/patches/CVE-2018-20763.patch
@@ -0,0 +1,111 @@
+commit 1c449a34fe0b50aaffb881bfb9d7c5ab0bb18cdd
+Author: Aurelien David <aurelien.david@telecom-paristech.fr>
+Date:   Fri Jan 11 14:05:16 2019 +0100
+Description: CVE-2018-20763
+
+    add some boundary checks on gf_text_get_utf8_line (#1188)
+
+--- a/src/media_tools/text_import.c
++++ b/src/media_tools/text_import.c
+@@ -201,49 +201,76 @@ char *gf_text_get_utf8_line(char *szLine
+ 	if (unicode_type<=1) {
+ 		j=0;
+ 		len = (u32) strlen(szLine);
+-		for (i=0; i<len; i++) {
++		for (i=0; i<len && j < sizeof(szLineConv) - 1; i++, j++) {
++
+ 			if (!unicode_type && (szLine[i] & 0x80)) {
+ 				/*non UTF8 (likely some win-CP)*/
+ 				if ((szLine[i+1] & 0xc0) != 0x80) {
+-					szLineConv[j] = 0xc0 | ( (szLine[i] >> 6) & 0x3 );
+-					j++;
+-					szLine[i] &= 0xbf;
++					if (j + 1 < sizeof(szLineConv) - 1) {
++						szLineConv[j] = 0xc0 | ((szLine[i] >> 6) & 0x3);
++						j++;
++						szLine[i] &= 0xbf;
++					}
++					else
++						break;
+ 				}
+ 				/*UTF8 2 bytes char*/
+ 				else if ( (szLine[i] & 0xe0) == 0xc0) {
+-					szLineConv[j] = szLine[i];
+-					i++;
+-					j++;
++
++					// don't cut multibyte in the middle in there is no more room in dest
++					if (j + 1 < sizeof(szLineConv) - 1 && i + 1 < len) {
++						szLineConv[j] = szLine[i];
++						i++;
++						j++;
++					}
++					else {
++						break;
++					}
+ 				}
+ 				/*UTF8 3 bytes char*/
+ 				else if ( (szLine[i] & 0xf0) == 0xe0) {
+-					szLineConv[j] = szLine[i];
+-					i++;
+-					j++;
+-					szLineConv[j] = szLine[i];
+-					i++;
+-					j++;
++					if (j + 2 < sizeof(szLineConv) - 1 && i + 2 < len) {
++						szLineConv[j] = szLine[i];
++						i++;
++						j++;
++						szLineConv[j] = szLine[i];
++						i++;
++						j++;
++					}
++					else {
++						break;
++					}
+ 				}
+ 				/*UTF8 4 bytes char*/
+ 				else if ( (szLine[i] & 0xf8) == 0xf0) {
+-					szLineConv[j] = szLine[i];
+-					i++;
+-					j++;
+-					szLineConv[j] = szLine[i];
+-					i++;
+-					j++;
+-					szLineConv[j] = szLine[i];
+-					i++;
+-					j++;
++					if (j + 3 < sizeof(szLineConv) - 1 && i + 3 < len) {
++						szLineConv[j] = szLine[i];
++						i++;
++						j++;
++						szLineConv[j] = szLine[i];
++						i++;
++						j++;
++						szLineConv[j] = szLine[i];
++						i++;
++						j++;
++					}
++					else {
++						break;
++					}
+ 				} else {
+ 					i+=1;
+ 					continue;
+ 				}
+ 			}
+-			szLineConv[j] = szLine[i];
+-			j++;
++			if (j < sizeof(szLineConv)-1 && i<len)
++				szLineConv[j] = szLine[i];
++
+ 		}
+-		szLineConv[j] = 0;
++		if (j >= sizeof(szLineConv))
++			szLineConv[sizeof(szLineConv) - 1] = 0;
++		else
++			szLineConv[j] = 0;
++
+ 		strcpy(szLine, szLineConv);
+ 		return sOK;
+ 	}
diff --git a/debian/patches/series b/debian/patches/series
index 1fd08cf..82ab5cf 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -7,3 +7,4 @@ dont-err-build-on-uknown-system.patch
 ffmpeg_4.patch
 fix_makefile_install.patch
 CVE-2018-7752.patch
+CVE-2018-20763.patch