From: Moritz Muehlenhoff Date: Sat, 15 May 2021 15:06:50 +0000 (+0200) Subject: Cherrypicked fixes for multiple security issues: X-Git-Tag: archive/raspbian/1.0.1+dfsg1-4+rpi1^2~23 X-Git-Url: https://dgit.raspbian.org/?a=commitdiff_plain;h=e92a61eb77f04083e858959ae637f62872f6f14e;p=gpac.git Cherrypicked fixes for multiple security issues: (Closes: #987280, #987323, #987374) - CVE-2021-30014/CVE-2021-30020/CVE-2021-30022 - CVE-2020-35979 - CVE-2020-35981 - CVE-2020-35982 - CVE-2021-28300 - CVE-2021-29279 - CVE-2021-31255 - CVE-2021-31256 - CVE-2021-31261 - CVE-2021-30015 - CVE-2021-30019 - CVE-2021-30199 - CVE-2021-31257 - CVE-2021-31258 - CVE-2021-31260 - CVE-2021-31262 --- diff --git a/debian/patches/CVE-2020-35979.patch b/debian/patches/CVE-2020-35979.patch new file mode 100644 index 0000000..0c5bb10 --- /dev/null +++ b/debian/patches/CVE-2020-35979.patch @@ -0,0 +1,28 @@ +From b15020f54aff24aaeb64b80771472be8e64a7adc Mon Sep 17 00:00:00 2001 +From: jeanlf +Date: Mon, 4 Jan 2021 11:24:26 +0100 +Subject: [PATCH] fixed #1662 + +--- + src/media_tools/isom_hinter.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/src/media_tools/isom_hinter.c b/src/media_tools/isom_hinter.c +index 8af1d04b7f..2d05934f6d 100644 +--- a/src/media_tools/isom_hinter.c ++++ b/src/media_tools/isom_hinter.c +@@ -793,8 +793,12 @@ GF_Err gf_hinter_track_process(GF_RTPHinter *tkHint) + } + remain -= size; + tkHint->rtp_p->sl_header.accessUnitEndFlag = remain ? 0 : 1; +- e = gf_rtp_builder_process(tkHint->rtp_p, ptr, size, (u8) !remain, samp->dataLength, duration, (u8) (descIndex + GF_RTP_TX3G_SIDX_OFFSET) ); +- ptr += size; ++ if (!size) { ++ GF_LOG(GF_LOG_WARNING, GF_LOG_RTP, ("[rtp hinter] Broken AVC nalu encapsulation: NALU size is 0, ignoring it\n", size)); ++ } else { ++ e = gf_rtp_builder_process(tkHint->rtp_p, ptr, size, (u8) !remain, samp->dataLength, duration, (u8) (descIndex + GF_RTP_TX3G_SIDX_OFFSET) ); ++ ptr += size; ++ } + tkHint->rtp_p->sl_header.accessUnitStartFlag = 0; + } + } else { diff --git a/debian/patches/CVE-2020-35981.patch b/debian/patches/CVE-2020-35981.patch new file mode 100644 index 0000000..c9e2e57 --- /dev/null +++ b/debian/patches/CVE-2020-35981.patch @@ -0,0 +1,28 @@ +From dae9900580a8888969481cd72035408091edb11b Mon Sep 17 00:00:00 2001 +From: jeanlf +Date: Mon, 4 Jan 2021 11:06:52 +0100 +Subject: [PATCH] fixed #1659 + +--- + src/isomedia/isom_store.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/src/isomedia/isom_store.c b/src/isomedia/isom_store.c +index 37dfbe55a9..ee2b2cfaf2 100644 +--- a/src/isomedia/isom_store.c ++++ b/src/isomedia/isom_store.c +@@ -150,8 +150,14 @@ GF_Err SetupWriters(MovieWriter *mw, GF_List *writers, u8 interleaving) + + trackCount = gf_list_count(movie->moov->trackList); + for (i = 0; i < trackCount; i++) { ++ GF_SampleTableBox *stbl; + trak = gf_isom_get_track(movie->moov, i+1); + ++ stbl = (trak->Media && trak->Media->information) ? trak->Media->information->sampleTable : NULL; ++ if (!stbl || !stbl->SampleSize || !stbl->ChunkOffset || !stbl->SampleToChunk) { ++ return GF_ISOM_INVALID_FILE; ++ } ++ + GF_SAFEALLOC(writer, TrackWriter); + if (!writer) goto exit; + writer->sampleNumber = 1; diff --git a/debian/patches/CVE-2020-35982.patch b/debian/patches/CVE-2020-35982.patch new file mode 100644 index 0000000..8269076 --- /dev/null +++ b/debian/patches/CVE-2020-35982.patch @@ -0,0 +1,22 @@ +From a4eb327049132359cae54b59faec9e2f14c5a619 Mon Sep 17 00:00:00 2001 +From: jeanlf +Date: Mon, 4 Jan 2021 11:10:48 +0100 +Subject: [PATCH] fixed #1660 + +--- + src/media_tools/isom_hinter.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/src/media_tools/isom_hinter.c b/src/media_tools/isom_hinter.c +index 5bf89cb5ca..8af1d04b7f 100644 +--- a/src/media_tools/isom_hinter.c ++++ b/src/media_tools/isom_hinter.c +@@ -967,6 +967,8 @@ GF_Err gf_hinter_track_finalize(GF_RTPHinter *tkHint, Bool AddSystemInfo) + if (avcc) { + sprintf(sdpLine, "a=fmtp:%d profile-level-id=%02X%02X%02X; packetization-mode=1", tkHint->rtp_p->PayloadType, avcc->AVCProfileIndication, avcc->profile_compatibility, avcc->AVCLevelIndication); + } else { ++ if (!svcc) ++ return GF_ISOM_INVALID_FILE; + sprintf(sdpLine, "a=fmtp:%d profile-level-id=%02X%02X%02X; packetization-mode=1", tkHint->rtp_p->PayloadType, svcc->AVCProfileIndication, svcc->profile_compatibility, svcc->AVCLevelIndication); + } + diff --git a/debian/patches/CVE-2021-28300.patch b/debian/patches/CVE-2021-28300.patch new file mode 100644 index 0000000..2e39c52 --- /dev/null +++ b/debian/patches/CVE-2021-28300.patch @@ -0,0 +1,20 @@ +From c4a5109dad73abe25ad12d8d529a728ae98d78ca Mon Sep 17 00:00:00 2001 +From: jeanlf +Date: Thu, 11 Mar 2021 15:28:56 +0100 +Subject: [PATCH] fixed #1702 + +--- + src/isomedia/track.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- gpac-1.0.1+dfsg1.orig/src/isomedia/track.c ++++ gpac-1.0.1+dfsg1/src/isomedia/track.c +@@ -1019,7 +1019,7 @@ GF_Err MergeTrack(GF_TrackBox *trak, GF_ + break; + } + } +- if (saiz && saio) { ++ if (saiz && saio && senc) { + for (i = 0; i < saiz->sample_count; i++) { + GF_CENCSampleAuxInfo *sai; + diff --git a/debian/patches/CVE-2021-29279.patch b/debian/patches/CVE-2021-29279.patch new file mode 100644 index 0000000..0ea538a --- /dev/null +++ b/debian/patches/CVE-2021-29279.patch @@ -0,0 +1,58 @@ +From da69ad1f970a7e17c865eaec9af98cc84df10d5b Mon Sep 17 00:00:00 2001 +From: jeanlf +Date: Mon, 29 Mar 2021 09:17:40 +0200 +Subject: [PATCH] fixed 1718 + +--- + src/filters/reframe_flac.c | 19 ++++++++++++++++++- + 1 file changed, 18 insertions(+), 1 deletion(-) + +--- gpac-1.0.1+dfsg1.orig/src/filters/reframe_flac.c ++++ gpac-1.0.1+dfsg1/src/filters/reframe_flac.c +@@ -59,6 +59,7 @@ typedef struct + Bool is_playing; + Bool is_file; + Bool initial_play_done, file_loaded; ++ Bool in_error; + + Bool initialized; + u32 sample_rate, nb_channels, bits_per_sample, block_size; +@@ -378,6 +379,9 @@ GF_Err flac_dmx_process(GF_Filter *filte + u64 cts = GF_FILTER_NO_TS; + FLACHeader hdr; + ++ if (ctx->in_error) ++ return GF_NON_COMPLIANT_BITSTREAM; ++ + //always reparse duration + if (!ctx->duration.num) + flac_dmx_check_dur(filter, ctx); +@@ -484,7 +488,12 @@ GF_Err flac_dmx_process(GF_Filter *filte + gf_bs_reassign_buffer(ctx->bs, ctx->flac_buffer, size); + u32 magic = gf_bs_read_u32(ctx->bs); + if (magic != GF_4CC('f','L','a','C')) { +- ++ GF_LOG(GF_LOG_ERROR, GF_LOG_PARSER, ("[FLACDmx] invalid FLAC magic\n")); ++ ctx->in_error = GF_TRUE; ++ ctx->flac_buffer_size = 0; ++ if (pck) ++ gf_filter_pid_drop_packet(ctx->ipid); ++ return GF_NON_COMPLIANT_BITSTREAM; + } + while (gf_bs_available(ctx->bs)) { + Bool last = gf_bs_read_int(ctx->bs, 1); +@@ -514,6 +523,14 @@ GF_Err flac_dmx_process(GF_Filter *filte + } + if (last) break; + } ++ if (!dsi_end) { ++ GF_LOG(GF_LOG_ERROR, GF_LOG_PARSER, ("[FLACDmx] invalid FLAC header\n")); ++ ctx->in_error = GF_TRUE; ++ ctx->flac_buffer_size = 0; ++ if (pck) ++ gf_filter_pid_drop_packet(ctx->ipid); ++ return GF_NON_COMPLIANT_BITSTREAM; ++ } + flac_dmx_check_pid(filter, ctx, ctx->flac_buffer+4, dsi_end-4); + remain -= size; + start += size; diff --git a/debian/patches/CVE-2021-30014_CVE-2021-30020_CVE-2021-30022.patch b/debian/patches/CVE-2021-30014_CVE-2021-30020_CVE-2021-30022.patch new file mode 100644 index 0000000..42294f2 --- /dev/null +++ b/debian/patches/CVE-2021-30014_CVE-2021-30020_CVE-2021-30022.patch @@ -0,0 +1,67 @@ +Backport of + +From 51cdb67ff7c5f1242ac58c5aa603ceaf1793b788 Mon Sep 17 00:00:00 2001 +From: jeanlf +Date: Mon, 29 Mar 2021 09:34:02 +0200 +Subject: [PATCH] add safety in avc/hevc/vvc sps/pps/vps ID check - cf #1720 + #1721 #1722 + +--- gpac-1.0.1+dfsg1.orig/src/media_tools/av_parsers.c ++++ gpac-1.0.1+dfsg1/src/media_tools/av_parsers.c +@@ -5012,10 +5012,7 @@ static s32 gf_media_avc_read_sps_bs_inte + by subset SPS. According to the SVC standard, subset SPS can have the same sps_id + than its base layer, but it does not refer to the same SPS. */ + sps_id = gf_bs_get_ue(bs) + GF_SVC_SSPS_ID_SHIFT * subseq_sps; +- if (sps_id >= 32) { +- return -1; +- } +- if (sps_id < 0) { ++ if ((sps_id < 0) || (sps_id >= 32)) { + return -1; + } + +@@ -5342,7 +5339,7 @@ static s32 gf_media_avc_read_pps_bs_inte + /*nal_hdr = */gf_bs_read_u8(bs); + } + pps_id = gf_bs_get_ue(bs); +- if (pps_id >= 255) { ++ if ((pps_id<0) || (pps_id >= 255)) { + return -1; + } + pps = &avc->pps[pps_id]; +@@ -5350,7 +5347,7 @@ static s32 gf_media_avc_read_pps_bs_inte + + if (!pps->status) pps->status = 1; + pps->sps_id = gf_bs_get_ue(bs); +- if (pps->sps_id >= 32) { ++ if ((pps->sps_id<0) || (pps->sps_id >= 32)) { + pps->sps_id = 0; + return -1; + } +@@ -6595,7 +6592,7 @@ s32 hevc_parse_slice_segment(GF_BitStrea + } + + pps_id = gf_bs_get_ue(bs); +- if (pps_id >= 64) ++ if ((pps_id<0) || (pps_id >= 64)) + return -1; + + pps = &hevc->pps[pps_id]; +@@ -7409,7 +7406,7 @@ static s32 gf_media_hevc_read_vps_bs_int + //nalu header already parsed + vps_id = gf_bs_read_int(bs, 4); + +- if (vps_id >= 16) return -1; ++ if ((vps_id<0) || (vps_id >= 16)) return -1; + + vps = &hevc->vps[vps_id]; + vps->bit_pos_vps_extensions = -1; +@@ -7637,7 +7634,7 @@ static s32 gf_media_hevc_read_sps_bs_int + + //nalu header already parsed + vps_id = gf_bs_read_int(bs, 4); +- if (vps_id >= 16) { ++ if ((vps_id<0) || (vps_id >= 16)) { + return -1; + } + memset(&ptl, 0, sizeof(ptl)); diff --git a/debian/patches/CVE-2021-30015.patch b/debian/patches/CVE-2021-30015.patch new file mode 100644 index 0000000..632b8b0 --- /dev/null +++ b/debian/patches/CVE-2021-30015.patch @@ -0,0 +1,21 @@ +From 13dad7d5ef74ca2e6fe4010f5b03eb12e9bbe0ec Mon Sep 17 00:00:00 2001 +From: jeanlf +Date: Mon, 29 Mar 2021 09:21:51 +0200 +Subject: [PATCH] fixed #1719 + +--- + src/filters/reframe_av1.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- gpac-1.0.1+dfsg1.orig/src/filters/reframe_av1.c ++++ gpac-1.0.1+dfsg1/src/filters/reframe_av1.c +@@ -718,6 +718,9 @@ static GF_Err av1dmx_parse_flush_sample( + GF_FilterPacket *pck; + u8 *output; + ++ if (!ctx->opid) ++ return GF_NON_COMPLIANT_BITSTREAM; ++ + gf_bs_get_content_no_truncate(ctx->state.bs, &ctx->state.frame_obus, &pck_size, &ctx->state.frame_obus_alloc); + + if (!pck_size) { diff --git a/debian/patches/CVE-2021-30019.patch b/debian/patches/CVE-2021-30019.patch new file mode 100644 index 0000000..d598629 --- /dev/null +++ b/debian/patches/CVE-2021-30019.patch @@ -0,0 +1,24 @@ +From 13dad7d5ef74ca2e6fe4010f5b03eb12e9bbe0ec Mon Sep 17 00:00:00 2001 +From: jeanlf +Date: Mon, 29 Mar 2021 09:21:51 +0200 +Subject: [PATCH] fixed #1719 + +--- + src/filters/reframe_av1.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- gpac-1.0.1+dfsg1.orig/src/filters/reframe_adts.c ++++ gpac-1.0.1+dfsg1/src/filters/reframe_adts.c +@@ -683,6 +683,12 @@ GF_Err adts_dmx_process(GF_Filter *filte + break; + } + ++ if (ctx->hdr.frame_size < ctx->hdr.hdr_size) { ++ GF_LOG(GF_LOG_WARNING, GF_LOG_PARSER, ("[ADTSDmx] Corrupted ADTS frame header, resyncing\n")); ++ ctx->nb_frames = 0; ++ goto drop_byte; ++ } ++ + adts_dmx_check_pid(filter, ctx); + + if (!ctx->is_playing) { diff --git a/debian/patches/CVE-2021-30199.patch b/debian/patches/CVE-2021-30199.patch new file mode 100644 index 0000000..2b627a0 --- /dev/null +++ b/debian/patches/CVE-2021-30199.patch @@ -0,0 +1,35 @@ +From b2db2f99b4c30f96e17b9a14537c776da6cb5dca Mon Sep 17 00:00:00 2001 +From: jeanlf +Date: Thu, 8 Apr 2021 09:29:42 +0200 +Subject: [PATCH] fixed #1728 + +--- + src/filters/reframe_latm.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- gpac-1.0.1+dfsg1.orig/src/filters/reframe_latm.c ++++ gpac-1.0.1+dfsg1/src/filters/reframe_latm.c +@@ -424,8 +424,8 @@ GF_Err latm_dmx_process(GF_Filter *filte + GF_LATMDmxCtx *ctx = gf_filter_get_udta(filter); + GF_FilterPacket *pck, *dst_pck; + u32 pos; +- u8 *data, *output; +- u32 pck_size, prev_pck_size; ++ u8 *data=NULL, *output; ++ u32 pck_size=0, prev_pck_size; + u64 cts = GF_FILTER_NO_TS; + + //always reparse duration +@@ -448,10 +448,10 @@ GF_Err latm_dmx_process(GF_Filter *filte + } else { + return GF_OK; + } ++ } else { ++ data = (char *) gf_filter_pck_get_data(pck, &pck_size); + } + +- data = (char *) gf_filter_pck_get_data(pck, &pck_size); +- + //input pid sets some timescale - we flushed pending data , update cts + if (ctx->timescale && pck) { + cts = gf_filter_pck_get_cts(pck); diff --git a/debian/patches/CVE-2021-31255.patch b/debian/patches/CVE-2021-31255.patch new file mode 100644 index 0000000..2a44594 --- /dev/null +++ b/debian/patches/CVE-2021-31255.patch @@ -0,0 +1,123 @@ +From 758135e91e623d7dfe7f6aaad7aeb3f791b7a4e5 Mon Sep 17 00:00:00 2001 +From: jeanlf +Date: Thu, 8 Apr 2021 10:07:35 +0200 +Subject: [PATCH] fixed #1733 + +--- + src/isomedia/box_code_adobe.c | 35 ++++++++++++++++++++++++++++++----- + 1 file changed, 30 insertions(+), 5 deletions(-) + +diff --git a/src/isomedia/box_code_adobe.c b/src/isomedia/box_code_adobe.c +index ab5115f25a..711d84bf0d 100644 +--- a/src/isomedia/box_code_adobe.c ++++ b/src/isomedia/box_code_adobe.c +@@ -79,6 +79,7 @@ GF_Err abst_box_read(GF_Box *s, GF_BitStream *bs) + int i; + u32 tmp_strsize; + char *tmp_str; ++ Bool zfound=GF_FALSE; + GF_Err e; + + ISOM_DECREASE_SIZE(ptr, 25) +@@ -102,10 +103,14 @@ GF_Err abst_box_read(GF_Box *s, GF_BitStream *bs) + ISOM_DECREASE_SIZE(ptr, 1) + tmp_str[i] = gf_bs_read_u8(bs); + tmp_strsize--; +- if (!tmp_str[i]) ++ if (!tmp_str[i]) { ++ zfound = GF_TRUE; + break; ++ } + i++; + } ++ if (!zfound) ++ return GF_ISOM_INVALID_FILE; + if (i) { + ptr->movie_identifier = gf_strdup(tmp_str); + } +@@ -114,15 +119,20 @@ GF_Err abst_box_read(GF_Box *s, GF_BitStream *bs) + ptr->server_entry_count = gf_bs_read_u8(bs); + for (i=0; iserver_entry_count; i++) { + int j=0; ++ zfound = GF_FALSE; + tmp_strsize=(u32)ptr->size; + while (tmp_strsize) { + ISOM_DECREASE_SIZE(ptr, 1) + tmp_str[j] = gf_bs_read_u8(bs); + tmp_strsize--; +- if (!tmp_str[j]) ++ if (!tmp_str[j]) { ++ zfound = GF_TRUE; + break; ++ } + j++; + } ++ if (!zfound) ++ return GF_ISOM_INVALID_FILE; + if (j) { + gf_list_insert(ptr->server_entry_table, gf_strdup(tmp_str), i); + } +@@ -132,16 +142,21 @@ GF_Err abst_box_read(GF_Box *s, GF_BitStream *bs) + ptr->quality_entry_count = gf_bs_read_u8(bs); + for (i=0; iquality_entry_count; i++) { + int j=0; ++ zfound = GF_FALSE; + tmp_strsize=(u32)ptr->size; + while (tmp_strsize) { + ISOM_DECREASE_SIZE(ptr, 1) + tmp_str[j] = gf_bs_read_u8(bs); + tmp_strsize--; +- if (!tmp_str[j]) ++ if (!tmp_str[j]) { ++ zfound = GF_TRUE; + break; ++ } + j++; + } + ++ if (!zfound) ++ return GF_ISOM_INVALID_FILE; + if (j) { + gf_list_insert(ptr->quality_entry_table, gf_strdup(tmp_str), i); + } +@@ -149,28 +164,38 @@ GF_Err abst_box_read(GF_Box *s, GF_BitStream *bs) + + i=0; + tmp_strsize=(u32)ptr->size; ++ zfound = GF_FALSE; + while (tmp_strsize) { + ISOM_DECREASE_SIZE(ptr, 1) + tmp_str[i] = gf_bs_read_u8(bs); + tmp_strsize--; +- if (!tmp_str[i]) ++ if (!tmp_str[i]) { ++ zfound = GF_TRUE; + break; ++ } + i++; + } ++ if (!zfound) ++ return GF_ISOM_INVALID_FILE; + if (i) { + ptr->drm_data = gf_strdup(tmp_str); + } + + i=0; + tmp_strsize=(u32)ptr->size; ++ zfound = GF_FALSE; + while (tmp_strsize) { + ISOM_DECREASE_SIZE(ptr, 1) + tmp_str[i] = gf_bs_read_u8(bs); + tmp_strsize--; +- if (!tmp_str[i]) ++ if (!tmp_str[i]) { ++ zfound = GF_TRUE; + break; ++ } + i++; + } ++ if (!zfound) ++ return GF_ISOM_INVALID_FILE; + if (i) { + ptr->meta_data = gf_strdup(tmp_str); + } diff --git a/debian/patches/CVE-2021-31256.patch b/debian/patches/CVE-2021-31256.patch new file mode 100644 index 0000000..d5b2896 --- /dev/null +++ b/debian/patches/CVE-2021-31256.patch @@ -0,0 +1,27 @@ +From 2da2f68bffd51d89b1d272d22aa8cc023c1c066e Mon Sep 17 00:00:00 2001 +From: jeanlf +Date: Fri, 12 Mar 2021 11:46:56 +0100 +Subject: [PATCH] fixed #1705 + +--- + src/isomedia/stbl_read.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/src/isomedia/stbl_read.c b/src/isomedia/stbl_read.c +index ebfbe62abe..384d4f7827 100644 +--- a/src/isomedia/stbl_read.c ++++ b/src/isomedia/stbl_read.c +@@ -419,11 +419,13 @@ GF_Err stbl_GetSampleInfos(GF_SampleTableBox *stbl, u32 sampleNumber, u64 *offse + if ( stbl->ChunkOffset->type == GF_ISOM_BOX_TYPE_STCO) { + stco = (GF_ChunkOffsetBox *)stbl->ChunkOffset; + if (!stco->offsets) return GF_ISOM_INVALID_FILE; ++ if (stco->nb_entries < sampleNumber) return GF_ISOM_INVALID_FILE; + + (*offset) = (u64) stco->offsets[sampleNumber - 1]; + } else { + co64 = (GF_ChunkLargeOffsetBox *)stbl->ChunkOffset; + if (!co64->offsets) return GF_ISOM_INVALID_FILE; ++ if (co64->nb_entries < sampleNumber) return GF_ISOM_INVALID_FILE; + + (*offset) = co64->offsets[sampleNumber - 1]; + } diff --git a/debian/patches/CVE-2021-31257.patch b/debian/patches/CVE-2021-31257.patch new file mode 100644 index 0000000..fbfe1da --- /dev/null +++ b/debian/patches/CVE-2021-31257.patch @@ -0,0 +1,20 @@ +From 87afe070cd6866df7fe80f11b26ef75161de85e0 Mon Sep 17 00:00:00 2001 +From: jeanlf +Date: Thu, 8 Apr 2021 10:09:46 +0200 +Subject: [PATCH] fixed #1734 + +--- + applications/mp4box/main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- gpac-1.0.1+dfsg1.orig/applications/mp4box/main.c ++++ gpac-1.0.1+dfsg1/applications/mp4box/main.c +@@ -1296,7 +1296,7 @@ GF_Err HintFile(GF_ISOFile *file, u32 MT + + streamType = 0; + esd = gf_isom_get_esd(file, i+1, 1); +- if (esd) { ++ if (esd && esd->decoderConfig) { + streamType = esd->decoderConfig->streamType; + if (!prev_ocr) { + prev_ocr = esd->OCRESID; diff --git a/debian/patches/CVE-2021-31258.patch b/debian/patches/CVE-2021-31258.patch new file mode 100644 index 0000000..6405695 --- /dev/null +++ b/debian/patches/CVE-2021-31258.patch @@ -0,0 +1,71 @@ +From ebfa346eff05049718f7b80041093b4c5581c24e Mon Sep 17 00:00:00 2001 +From: jeanlf +Date: Fri, 12 Mar 2021 11:56:53 +0100 +Subject: [PATCH] fixed #1706 + +--- + src/isomedia/isom_read.c | 1 + + src/isomedia/isom_write.c | 13 ++++++++++--- + src/media_tools/isom_hinter.c | 6 +++++- + 3 files changed, 16 insertions(+), 4 deletions(-) + +--- gpac-1.0.1+dfsg1.orig/src/isomedia/isom_read.c ++++ gpac-1.0.1+dfsg1/src/isomedia/isom_read.c +@@ -3802,6 +3802,7 @@ u32 gf_isom_guess_specification(GF_ISOFi + case GF_ISOM_SUBTYPE_MPEG4_CRYP: + { + GF_DecoderConfig *dcd = gf_isom_get_decoder_config(file, i+1, 1); ++ if (!dcd) break; + switch (dcd->streamType) { + case GF_STREAM_VISUAL: + if (dcd->objectTypeIndication==GF_CODECID_MPEG4_PART2) nb_m4v++; +--- gpac-1.0.1+dfsg1.orig/src/isomedia/isom_write.c ++++ gpac-1.0.1+dfsg1/src/isomedia/isom_write.c +@@ -5224,6 +5224,7 @@ GF_Err gf_isom_set_extraction_slc(GF_ISO + GF_SampleEntryBox *entry; + GF_Err e; + GF_SLConfig **slc; ++ GF_ESDBox *esds; + + trak = gf_isom_get_track_from_file(the_file, trackNumber); + if (!trak) return GF_BAD_PARAM; +@@ -5234,15 +5235,21 @@ GF_Err gf_isom_set_extraction_slc(GF_ISO + //we must be sure we are not using a remote ESD + switch (entry->type) { + case GF_ISOM_BOX_TYPE_MP4S: +- if (((GF_MPEGSampleEntryBox *)entry)->esd->desc->slConfig->predefined != SLPredef_MP4) return GF_BAD_PARAM; ++ esds = ((GF_MPEGSampleEntryBox *)entry)->esd; ++ if (!esds || !esds->desc || !esds->desc->slConfig || (esds->desc->slConfig->predefined != SLPredef_MP4)) ++ return GF_ISOM_INVALID_FILE; + slc = & ((GF_MPEGSampleEntryBox *)entry)->slc; + break; + case GF_ISOM_BOX_TYPE_MP4A: +- if (((GF_MPEGAudioSampleEntryBox *)entry)->esd->desc->slConfig->predefined != SLPredef_MP4) return GF_BAD_PARAM; ++ esds = ((GF_MPEGAudioSampleEntryBox *)entry)->esd; ++ if (!esds || !esds->desc || !esds->desc->slConfig || (esds->desc->slConfig->predefined != SLPredef_MP4)) ++ return GF_ISOM_INVALID_FILE; + slc = & ((GF_MPEGAudioSampleEntryBox *)entry)->slc; + break; + case GF_ISOM_BOX_TYPE_MP4V: +- if (((GF_MPEGVisualSampleEntryBox *)entry)->esd->desc->slConfig->predefined != SLPredef_MP4) return GF_BAD_PARAM; ++ esds = ((GF_MPEGVisualSampleEntryBox *)entry)->esd; ++ if (!esds || !esds->desc || !esds->desc->slConfig || (esds->desc->slConfig->predefined != SLPredef_MP4)) ++ return GF_ISOM_INVALID_FILE; + slc = & ((GF_MPEGVisualSampleEntryBox *)entry)->slc; + break; + default: +--- gpac-1.0.1+dfsg1.orig/src/media_tools/isom_hinter.c ++++ gpac-1.0.1+dfsg1/src/media_tools/isom_hinter.c +@@ -641,7 +641,11 @@ GF_RTPHinter *gf_hinter_track_new(GF_ISO + if (hintType==GF_RTP_PAYT_MPEG4) { + tmp->rtp_p->slMap.CodecID = codecid; + /*set this SL for extraction.*/ +- gf_isom_set_extraction_slc(file, TrackNum, 1, &my_sl); ++ *e = gf_isom_set_extraction_slc(file, TrackNum, 1, &my_sl); ++ if (*e) { ++ gf_hinter_track_del(tmp); ++ return NULL; ++ } + } + tmp->bandwidth = bandwidth; + diff --git a/debian/patches/CVE-2021-31260.patch b/debian/patches/CVE-2021-31260.patch new file mode 100644 index 0000000..01f70ad --- /dev/null +++ b/debian/patches/CVE-2021-31260.patch @@ -0,0 +1,36 @@ +From df8fffd839fe5ae9acd82d26fd48280a397411d9 Mon Sep 17 00:00:00 2001 +From: jeanlf +Date: Thu, 8 Apr 2021 10:21:26 +0200 +Subject: [PATCH] fixed #1736 + +--- + src/isomedia/track.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +--- gpac-1.0.1+dfsg1.orig/src/isomedia/track.c ++++ gpac-1.0.1+dfsg1/src/isomedia/track.c +@@ -1003,10 +1003,13 @@ GF_Err MergeTrack(GF_TrackBox *trak, GF_ + if ((aux_info_type == GF_ISOM_CENC_SCHEME) || (aux_info_type == GF_ISOM_CBC_SCHEME) || + (aux_info_type == GF_ISOM_CENS_SCHEME) || (aux_info_type == GF_ISOM_CBCS_SCHEME) || + (gf_list_count(traf->sai_offsets) == 1)) { +- offset = saio->offsets[0] + moof_offset; +- nb_saio = saio->entry_count; +- break; ++ if (saio->offsets && saio->entry_count) { ++ offset = saio->offsets[0] + moof_offset; ++ nb_saio = saio->entry_count; ++ break; ++ } + } ++ saio = NULL; + } + for (i = 0; i < gf_list_count(traf->sai_sizes); i++) { + saiz = (GF_SampleAuxiliaryInfoSizeBox *)gf_list_get(traf->sai_sizes, i); +@@ -1018,6 +1021,7 @@ GF_Err MergeTrack(GF_TrackBox *trak, GF_ + (gf_list_count(traf->sai_sizes) == 1)) { + break; + } ++ saiz = NULL; + } + if (saiz && saio && senc) { + for (i = 0; i < saiz->sample_count; i++) { diff --git a/debian/patches/CVE-2021-31261.patch b/debian/patches/CVE-2021-31261.patch new file mode 100644 index 0000000..2865313 --- /dev/null +++ b/debian/patches/CVE-2021-31261.patch @@ -0,0 +1,24 @@ +From cd3738dea038dbd12e603ad48cd7373ae0440f65 Mon Sep 17 00:00:00 2001 +From: jeanlf +Date: Fri, 9 Apr 2021 11:12:47 +0200 +Subject: [PATCH] fixed #1737 + +--- + src/media_tools/isom_hinter.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/src/media_tools/isom_hinter.c b/src/media_tools/isom_hinter.c +index 6aeb9d172..6c4da454a 100644 +--- a/src/media_tools/isom_hinter.c ++++ b/src/media_tools/isom_hinter.c +@@ -402,8 +402,9 @@ GF_RTPHinter *gf_hinter_track_new(GF_ISOFile *file, u32 TrackNum, + else if (gf_isom_has_sync_shadows(file, TrackNum) || gf_isom_has_sample_dependency(file, TrackNum)) { + flags |= GP_RTP_PCK_SYSTEMS_CAROUSEL; + } +- gf_odf_desc_del((GF_Descriptor*)esd); + } ++ if (esd) ++ gf_odf_desc_del((GF_Descriptor*)esd); + break; + case GF_ISOM_SUBTYPE_3GP_H263: + hintType = GF_RTP_PAYT_H263; diff --git a/debian/patches/CVE-2021-31262.patch b/debian/patches/CVE-2021-31262.patch new file mode 100644 index 0000000..20c9d96 --- /dev/null +++ b/debian/patches/CVE-2021-31262.patch @@ -0,0 +1,39 @@ +From b2eab95e07cb5819375a50358d4806a8813b6e50 Mon Sep 17 00:00:00 2001 +From: jeanlf +Date: Fri, 9 Apr 2021 11:17:40 +0200 +Subject: [PATCH] fixed #1738 + +--- + src/isomedia/avc_ext.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- gpac-1.0.1+dfsg1.orig/src/isomedia/avc_ext.c ++++ gpac-1.0.1+dfsg1/src/isomedia/avc_ext.c +@@ -1330,7 +1330,8 @@ static GF_Err gf_isom_check_mvc(GF_ISOFi + return GF_OK; + } + +-static GF_AV1Config* AV1_DuplicateConfig(GF_AV1Config const * const cfg) { ++static GF_AV1Config* AV1_DuplicateConfig(GF_AV1Config const * const cfg) ++{ + u32 i = 0; + GF_AV1Config *out = gf_malloc(sizeof(GF_AV1Config)); + +@@ -1374,7 +1375,7 @@ void AV1_RewriteESDescriptorEx(GF_MPEGVi + av1->emul_esd->decoderConfig->avgBitrate = btrt->avgBitrate; + av1->emul_esd->decoderConfig->maxBitrate = btrt->maxBitrate; + } +- if (av1->av1_config) { ++ if (av1->av1_config && av1->av1_config->config) { + GF_AV1Config *av1_cfg = AV1_DuplicateConfig(av1->av1_config->config); + if (av1_cfg) { + gf_odf_av1_cfg_write(av1_cfg, &av1->emul_esd->decoderConfig->decoderSpecificInfo->data, &av1->emul_esd->decoderConfig->decoderSpecificInfo->dataLength); +@@ -2275,7 +2276,7 @@ GF_AV1Config *gf_isom_av1_config_get(GF_ + trak = gf_isom_get_track_from_file(the_file, trackNumber); + if (!trak || !trak->Media || !DescriptionIndex) return NULL; + entry = (GF_MPEGVisualSampleEntryBox*)gf_list_get(trak->Media->information->sampleTable->SampleDescription->child_boxes, DescriptionIndex - 1); +- if (!entry || !entry->av1_config) return NULL; ++ if (!entry || !entry->av1_config|| !entry->av1_config->config) return NULL; + return AV1_DuplicateConfig(entry->av1_config->config); + } + diff --git a/debian/patches/series b/debian/patches/series index db87f3b..0f766af 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1,2 +1,18 @@ gcc-optflags.patch dont-err-build-on-uknown-system.patch +CVE-2021-30014_CVE-2021-30020_CVE-2021-30022.patch +CVE-2020-35979.patch +CVE-2020-35981.patch +CVE-2020-35982.patch +CVE-2021-28300.patch +CVE-2021-29279.patch +CVE-2021-31255.patch +CVE-2021-31256.patch +CVE-2021-31261.patch +CVE-2021-30015.patch +CVE-2021-30019.patch +CVE-2021-30199.patch +CVE-2021-31257.patch +CVE-2021-31258.patch +CVE-2021-31260.patch +CVE-2021-31262.patch