From: Debian Multimedia Maintainers Date: Fri, 15 Feb 2019 11:43:22 +0000 (-0500) Subject: CVE-2018-7752 X-Git-Tag: archive/raspbian/1.0.1+dfsg1-4+rpi1~1^2^2^2^2~5 X-Git-Url: https://dgit.raspbian.org/?a=commitdiff_plain;h=e0bef5f328c3408b5b77eaef877755da6d5f72ce;p=gpac.git CVE-2018-7752 fix some exploitable overflows (#994, #997) Gbp-Pq: Name CVE-2018-7752.patch --- diff --git a/include/gpac/tools.h b/include/gpac/tools.h index a799f8c..44affa6 100644 --- a/include/gpac/tools.h +++ b/include/gpac/tools.h @@ -1067,6 +1067,7 @@ void gf_fm_request_call(u32 type, u32 param, int *value); /* \endcond */ +#define ARRAY_LENGTH(a) (sizeof(a) / sizeof((a)[0])) #ifdef __cplusplus } diff --git a/src/isomedia/avc_ext.c b/src/isomedia/avc_ext.c index 933ef5a..cc78cd5 100644 --- a/src/isomedia/avc_ext.c +++ b/src/isomedia/avc_ext.c @@ -2361,6 +2361,8 @@ GF_Err gf_isom_oinf_read_entry(void *entry, GF_BitStream *bs) op->output_layer_set_idx = gf_bs_read_u16(bs); op->max_temporal_id = gf_bs_read_u8(bs); op->layer_count = gf_bs_read_u8(bs); + if (op->layer_count > ARRAY_LENGTH(op->layers_info)) + return GF_NON_COMPLIANT_BITSTREAM; for (j = 0; j < op->layer_count; j++) { op->layers_info[j].ptl_idx = gf_bs_read_u8(bs); op->layers_info[j].layer_id = gf_bs_read_int(bs, 6); diff --git a/src/media_tools/av_parsers.c b/src/media_tools/av_parsers.c index 9cb8d13..d5a9810 100644 --- a/src/media_tools/av_parsers.c +++ b/src/media_tools/av_parsers.c @@ -2386,6 +2386,10 @@ s32 gf_media_avc_read_sps(const char *sps_data, u32 sps_size, AVCState *avc, u32 sps->offset_for_non_ref_pic = bs_get_se(bs); sps->offset_for_top_to_bottom_field = bs_get_se(bs); sps->poc_cycle_length = bs_get_ue(bs); + if (sps->poc_cycle_length > ARRAY_LENGTH(sps->offset_for_ref_frame)) { + GF_LOG(GF_LOG_ERROR, GF_LOG_CODING, ("[avc-h264] offset_for_ref_frame overflow from poc_cycle_length\n")); + goto exit; + } for(i=0; ipoc_cycle_length; i++) sps->offset_for_ref_frame[i] = bs_get_se(bs); } if (sps->poc_type > 2) {