From: Reinhard Tartler <siretart@tauware.de>
Date: Fri, 15 Feb 2019 11:39:22 +0000 (-0500)
Subject: add CVE-2018-13005.patch
X-Git-Tag: archive/raspbian/1.0.1+dfsg1-4+rpi1~1^2~45
X-Git-Url: https://dgit.raspbian.org/?a=commitdiff_plain;h=fe5a1adbe168a8ebf9d38dc6d3e0841ce8ddbd00;p=gpac.git

add CVE-2018-13005.patch

Addresses CVE-2018-13005 and CVE-2018-13006
---

diff --git a/debian/patches/CVE-2018-13005.patch b/debian/patches/CVE-2018-13005.patch
new file mode 100644
index 0000000..b3ceb93
--- /dev/null
+++ b/debian/patches/CVE-2018-13005.patch
@@ -0,0 +1,87 @@
+commit bceb03fd2be95097a7b409ea59914f332fb6bc86
+Author: Aurelien David <aurelien.david@telecom-paristech.fr>
+Date:   Thu Jun 28 13:34:08 2018 +0200
+Description: CVE-2018-13005, CVE-2018-13006
+
+    fixed 2 possible heap overflows (inc. #1088)
+
+--- a/include/gpac/internal/isomedia_dev.h
++++ b/include/gpac/internal/isomedia_dev.h
+@@ -3668,7 +3668,7 @@ GF_GenericSubtitleSample *gf_isom_parse_
+ 		char __ptype[5];\
+ 		strcpy(__ptype, gf_4cc_to_str(__parent->type) );\
+ 		GF_LOG(GF_LOG_WARNING, GF_LOG_CONTAINER, ("[iso file] extra box %s found in %s, deleting\n", gf_4cc_to_str(__abox->type), __ptype)); \
+-		gf_isom_box_del(a);\
++		gf_isom_box_del(__abox);\
+ 		return GF_OK;\
+ 	}
+ 
+--- a/src/isomedia/box_code_base.c
++++ b/src/isomedia/box_code_base.c
+@@ -632,7 +632,7 @@ GF_Err urn_Read(GF_Box *s, GF_BitStream
+ 
+ 	//then get the break
+ 	i = 0;
+-	while ( (tmpName[i] != 0) && (i < to_read) ) {
++	while ( (i < to_read) && (tmpName[i] != 0) ) {
+ 		i++;
+ 	}
+ 	//check the data is consistent
+--- a/src/isomedia/box_dump.c
++++ b/src/isomedia/box_dump.c
+@@ -484,7 +484,7 @@ GF_Err hdlr_dump(GF_Box *a, FILE * trace
+ {
+ 	GF_HandlerBox *p = (GF_HandlerBox *)a;
+ 	gf_isom_box_dump_start(a, "HandlerBox", trace);
+-	if (p->nameUTF8 && (u32) p->nameUTF8[0] == strlen(p->nameUTF8+1)) {
++	if (p->nameUTF8 && (u32) p->nameUTF8[0] == strlen(p->nameUTF8)-1) {
+ 		fprintf(trace, "hdlrType=\"%s\" Name=\"%s\" ", gf_4cc_to_str(p->handlerType), p->nameUTF8+1);
+ 	} else {
+ 		fprintf(trace, "hdlrType=\"%s\" Name=\"%s\" ", gf_4cc_to_str(p->handlerType), p->nameUTF8);
+@@ -4157,9 +4157,9 @@ static void oinf_entry_dump(GF_Operating
+ 		fprintf(trace, " maxPicWidth=\"%u\" maxPicHeight=\"%u\"", op->maxPicWidth, op->maxPicHeight);
+ 		fprintf(trace, " maxChromaFormat=\"%u\" maxBitDepth=\"%u\"", op->maxChromaFormat, op->maxBitDepth);
+ 		fprintf(trace, " frame_rate_info_flag=\"%u\" bit_rate_info_flag=\"%u\"", op->frame_rate_info_flag, op->bit_rate_info_flag);
+-		if (op->frame_rate_info_flag) 
++		if (op->frame_rate_info_flag)
+ 			fprintf(trace, " avgFrameRate=\"%u\" constantFrameRate=\"%u\"", op->avgFrameRate, op->constantFrameRate);
+-		if (op->bit_rate_info_flag) 
++		if (op->bit_rate_info_flag)
+ 			fprintf(trace, " maxBitRate=\"%u\" avgBitRate=\"%u\"", op->maxBitRate, op->avgBitRate);
+ 		fprintf(trace, "/>\n");
+ 	}
+@@ -4261,14 +4261,14 @@ static void nalm_dump(FILE * trace, char
+ 		fprintf(trace, "</NALUMap>\n");
+ 		return;
+ 	}
+-	
++
+ 	bs = gf_bs_new(data, data_size, GF_BITSTREAM_READ);
+ 	gf_bs_read_int(bs, 6);
+ 	large_size = gf_bs_read_int(bs, 1);
+ 	rle = gf_bs_read_int(bs, 1);
+ 	entry_count = gf_bs_read_int(bs, large_size ? 16 : 8);
+ 	fprintf(trace, "<NALUMap rle=\"%d\" large_size=\"%d\">\n", rle, large_size);
+-	
++
+ 	while (entry_count) {
+ 		u32 ID;
+ 		fprintf(trace, "<NALUMapEntry ");
+@@ -4335,7 +4335,7 @@ GF_Err sgpd_dump(GF_Box *a, FILE * trace
+ 		case GF_ISOM_SAMPLE_GROUP_TRIF:
+ 			trif_dump(trace, (char *) ((GF_DefaultSampleGroupDescriptionEntry*)entry)->data,  ((GF_DefaultSampleGroupDescriptionEntry*)entry)->length);
+ 			break;
+-			
++
+ 		case GF_ISOM_SAMPLE_GROUP_NALM:
+ 			nalm_dump(trace, (char *) ((GF_DefaultSampleGroupDescriptionEntry*)entry)->data,  ((GF_DefaultSampleGroupDescriptionEntry*)entry)->length);
+ 			break;
+@@ -4501,7 +4501,7 @@ GF_Err tenc_dump(GF_Box *a, FILE * trace
+ 		fprintf(trace, "\"  KID=\"");
+ 	}
+ 	dump_data_hex(trace, (char *) ptr->KID, 16);
+-	if (ptr->version) 
++	if (ptr->version)
+ 		fprintf(trace, "\" crypt_byte_block=\"%d\" skip_byte_block=\"%d", ptr->crypt_byte_block, ptr->skip_byte_block);
+ 	fprintf(trace, "\">\n");
+ 	gf_isom_box_dump_done("TrackEncryptionBox", a, trace);
diff --git a/debian/patches/series b/debian/patches/series
index 4b5131a..6953cb6 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -10,3 +10,4 @@ CVE-2018-7752.patch
 CVE-2018-20762.patch
 CVE-2018-20763.patch
 CVE-2018-20760.patch
+CVE-2018-13005.patch