From: Debian Multimedia Maintainers Date: Mon, 19 Jun 2023 21:46:06 +0000 (+0100) Subject: CVE-2022-3222 X-Git-Tag: archive/raspbian/1.0.1+dfsg1-4+rpi1+deb11u3^2~42 X-Git-Url: https://dgit.raspbian.org/?a=commitdiff_plain;h=d313c54ac05ec8440ca6fd4ca85382264b432f29;p=gpac.git CVE-2022-3222 Origin: https://github.com/gpac/gpac/commit/4e7736d7ec7bf64026daa611da951993bb42fdaf Reviewed-by: Aron Xu From 4e7736d7ec7bf64026daa611da951993bb42fdaf Mon Sep 17 00:00:00 2001 From: jeanlf Date: Mon, 12 Sep 2022 10:54:16 +0200 Subject: [PATCH] fixed #2238 Gbp-Pq: Name CVE-2022-3222.patch --- diff --git a/src/bifs/script_dec.c b/src/bifs/script_dec.c index 0edb501..cc6794a 100644 --- a/src/bifs/script_dec.c +++ b/src/bifs/script_dec.c @@ -40,6 +40,7 @@ typedef struct GF_List *identifiers; char *new_line; u32 indent; + u32 expr_stack_size; } ScriptParser; @@ -169,6 +170,7 @@ GF_Err SFScript_Parse(GF_BifsDecoder *codec, SFScript *script_field, GF_BitStrea e = GF_OK; if (gf_node_get_tag(n) != TAG_MPEG4_Script) return GF_NON_COMPLIANT_BITSTREAM; + memset(&parser, 0, sizeof(ScriptParser)); parser.codec = codec; parser.script = n; parser.bs = bs; @@ -209,6 +211,10 @@ GF_Err SFScript_Parse(GF_BifsDecoder *codec, SFScript *script_field, GF_BitStrea SFS_Space(&parser); SFS_StatementBlock(&parser, GF_TRUE); SFS_Line(&parser); + if (codec->LastError) { + e = codec->LastError; + goto exit; + } } SFS_Line(&parser); @@ -418,6 +424,7 @@ void SFS_CompoundExpression(ScriptParser *parser) if (parser->codec->LastError) return; SFS_Expression(parser); if (! gf_bs_read_int(parser->bs, 1)) return; + if (parser->codec->LastError) return; SFS_AddString(parser, ","); SFS_CompoundExpression(parser); } @@ -430,12 +437,20 @@ void SFS_OptionalExpression(ScriptParser *parser) } } - +#define MAX_EXPR_STACK 500 void SFS_Expression(ScriptParser *parser) { u32 val = gf_bs_read_int(parser->bs, NUMBITS_EXPR_TYPE); if (parser->codec->LastError) return; + //limit max expression stack size + parser->expr_stack_size++; + if (parser->expr_stack_size>MAX_EXPR_STACK) { + GF_LOG(GF_LOG_ERROR, GF_LOG_CODEC, ("[BIFS] Max stack size %d reached for expressions, not supported\n", MAX_EXPR_STACK)) + parser->codec->LastError = GF_NON_COMPLIANT_BITSTREAM; + return; + } + switch(val) { case ET_CURVED_EXPR: SFS_AddString(parser, "("); @@ -675,6 +690,7 @@ void SFS_Expression(ScriptParser *parser) assert(0); break; } + parser->expr_stack_size--; } void SFS_NewObject(ScriptParser *parser) @@ -691,6 +707,7 @@ void SFS_ArrayDeref(ScriptParser *parser) { if (parser->codec->LastError) return; SFS_Expression(parser); + if (parser->codec->LastError) return; SFS_AddString(parser, "["); SFS_CompoundExpression(parser); SFS_AddString(parser, "]"); @@ -709,6 +726,7 @@ void SFS_ObjectMemberAccess(ScriptParser *parser) { if (parser->codec->LastError) return; SFS_Expression(parser); + if (parser->codec->LastError) return; SFS_AddString(parser, "."); SFS_Identifier(parser); } @@ -718,6 +736,7 @@ void SFS_ObjectMethodCall(ScriptParser *parser) { if (parser->codec->LastError) return; SFS_Expression(parser); + if (parser->codec->LastError) return; SFS_AddString(parser, "."); SFS_Identifier(parser); SFS_AddString(parser, "("); @@ -732,6 +751,7 @@ void SFS_Params(ScriptParser *parser) val = gf_bs_read_int(parser->bs, 1); while (val) { SFS_Expression(parser); + if (parser->codec->LastError) return; val = gf_bs_read_int(parser->bs, 1); if(val) SFS_AddString(parser, ","); }