From 04e08c4918159d225ae79a6667a0dc8f0a3a114c Mon Sep 17 00:00:00 2001 From: jeanlf Date: Mon, 19 Dec 2022 12:25:50 +0100 Subject: [PATCH] [PATCH] fixed #2359 Gbp-Pq: Name CVE-2022-47662.patch --- include/gpac/internal/isomedia_dev.h | 2 +- src/isomedia/avc_ext.c | 51 +++++++++++++++++++++------- src/media_tools/isom_tools.c | 4 +++ 3 files changed, 44 insertions(+), 13 deletions(-) diff --git a/include/gpac/internal/isomedia_dev.h b/include/gpac/internal/isomedia_dev.h index 1090d1b..1f5b982 100644 --- a/include/gpac/internal/isomedia_dev.h +++ b/include/gpac/internal/isomedia_dev.h @@ -922,7 +922,7 @@ typedef struct __tag_media_box GF_ISOSample *extracted_samp; GF_BitStream *extracted_bs; - + Bool in_nalu_rewrite; } GF_MediaBox; typedef struct diff --git a/src/isomedia/avc_ext.c b/src/isomedia/avc_ext.c index 701d0f3..e9ce98e 100644 --- a/src/isomedia/avc_ext.c +++ b/src/isomedia/avc_ext.c @@ -410,7 +410,6 @@ static void nalu_merge_ps(GF_BitStream *ps_bs, Bool rewrite_start_codes, u32 nal } } - GF_Err gf_isom_nalu_sample_rewrite(GF_MediaBox *mdia, GF_ISOSample *sample, u32 sampleNumber, GF_MPEGVisualSampleEntryBox *entry) { Bool is_hevc = GF_FALSE; @@ -430,6 +429,10 @@ GF_Err gf_isom_nalu_sample_rewrite(GF_MediaBox *mdia, GF_ISOSample *sample, u32 GF_ISOFile *file = mdia->mediaTrack->moov->mov; GF_TrackReferenceTypeBox *scal = NULL; + if (mdia->in_nalu_rewrite) + return GF_ISOM_INVALID_FILE; + mdia->in_nalu_rewrite = GF_TRUE; + Track_FindRef(mdia->mediaTrack, GF_ISOM_REF_SCAL, &scal); rewrite_ps = (mdia->mediaTrack->extractor_mode & GF_ISOM_NALU_EXTRACT_INBAND_PS_FLAG) ? GF_TRUE : GF_FALSE; @@ -461,10 +464,14 @@ GF_Err gf_isom_nalu_sample_rewrite(GF_MediaBox *mdia, GF_ISOSample *sample, u32 if (!mdia->extracted_samp) { mdia->extracted_samp = gf_isom_sample_new(); - if (!mdia->extracted_samp) return GF_OUT_OF_MEM; + if (!mdia->extracted_samp) { + mdia->in_nalu_rewrite = GF_FALSE; + return GF_OUT_OF_MEM; + } } base_samp = gf_isom_get_sample_ex(mdia->mediaTrack->moov->mov, ref_track, sampleNumber + mdia->mediaTrack->sample_count_at_seg_start, &di, mdia->extracted_samp, NULL); + //base sample may be null (track split) if (base_samp && base_samp->data) { if (!sample->alloc_size || (sample->alloc_sizedataLength+base_samp->dataLength) ) { sample->data = gf_realloc(sample->data, sample->dataLength+base_samp->dataLength); @@ -490,10 +497,14 @@ GF_Err gf_isom_nalu_sample_rewrite(GF_MediaBox *mdia, GF_ISOSample *sample, u32 if (!mdia->extracted_samp) { mdia->extracted_samp = gf_isom_sample_new(); - if (!mdia->extracted_samp) return GF_OUT_OF_MEM; + if (!mdia->extracted_samp) { + mdia->in_nalu_rewrite = GF_FALSE; + return GF_OUT_OF_MEM; + } } tile_samp = gf_isom_get_sample_ex(mdia->mediaTrack->moov->mov, ref_track, sampleNumber + mdia->mediaTrack->sample_count_at_seg_start, &di, mdia->extracted_samp, NULL); + //tile sample may be NULL (removal of tracks, ...) if (tile_samp && tile_samp ->data) { if (!sample->alloc_size || (sample->alloc_sizedataLength+tile_samp->dataLength) ) { sample->data = gf_realloc(sample->data, sample->dataLength+tile_samp->dataLength); @@ -502,7 +513,7 @@ GF_Err gf_isom_nalu_sample_rewrite(GF_MediaBox *mdia, GF_ISOSample *sample, u32 memcpy(sample->data + sample->dataLength, tile_samp->data, tile_samp->dataLength); sample->dataLength += tile_samp->dataLength; } - } + } } } @@ -527,15 +538,19 @@ GF_Err gf_isom_nalu_sample_rewrite(GF_MediaBox *mdia, GF_ISOSample *sample, u32 if (extractor_mode != GF_ISOM_NALU_EXTRACT_LAYER_ONLY) insert_vdrd_code = GF_FALSE; - if (!entry) return GF_BAD_PARAM; - + if (!entry) { + mdia->in_nalu_rewrite = GF_FALSE; + return GF_BAD_PARAM; + } //this is a compatible HEVC, don't insert VDRD, insert NALU delim if (entry->lhvc_config && entry->hevc_config) insert_vdrd_code = GF_FALSE; if (extractor_mode == GF_ISOM_NALU_EXTRACT_INSPECT) { - if (!rewrite_ps && !rewrite_start_codes) + if (!rewrite_ps && !rewrite_start_codes) { + mdia->in_nalu_rewrite = GF_FALSE; return GF_OK; + } } nal_unit_size_field = 0; @@ -554,6 +569,7 @@ GF_Err gf_isom_nalu_sample_rewrite(GF_MediaBox *mdia, GF_ISOSample *sample, u32 /*otherwise do nothing*/ else if (!rewrite_ps && !rewrite_start_codes && !scal && !force_sei_inspect) { + mdia->in_nalu_rewrite = GF_FALSE; return GF_OK; } @@ -570,8 +586,10 @@ GF_Err gf_isom_nalu_sample_rewrite(GF_MediaBox *mdia, GF_ISOSample *sample, u32 } } - if (!nal_unit_size_field) return GF_ISOM_INVALID_FILE; - + if (!nal_unit_size_field) { + mdia->in_nalu_rewrite = GF_FALSE; + return GF_ISOM_INVALID_FILE; + } //setup PS rewriter if (!mdia->nalu_ps_bs) mdia->nalu_ps_bs = gf_bs_new(NULL, 0, GF_BITSTREAM_WRITE); @@ -586,10 +604,16 @@ GF_Err gf_isom_nalu_sample_rewrite(GF_MediaBox *mdia, GF_ISOSample *sample, u32 if (!mdia->nalu_parser) { mdia->nalu_parser = gf_bs_new(mdia->in_sample_buffer, sample->dataLength, GF_BITSTREAM_READ); - if (!mdia->nalu_parser && sample->data) return GF_ISOM_INVALID_FILE; + if (!mdia->nalu_parser && sample->data) { + mdia->in_nalu_rewrite = GF_FALSE; + return GF_ISOM_INVALID_FILE; + } } else { e = gf_bs_reassign_buffer(mdia->nalu_parser, mdia->in_sample_buffer, sample->dataLength); - if (e) return e; + if (e) { + mdia->in_nalu_rewrite = GF_FALSE; + return e; + } } //setup ouput if (!mdia->nalu_out_bs) { @@ -677,7 +701,7 @@ GF_Err gf_isom_nalu_sample_rewrite(GF_MediaBox *mdia, GF_ISOSample *sample, u32 } gf_bs_write_data(mdia->nalu_out_bs, mdia->in_sample_buffer, sample->dataLength); gf_bs_get_content_no_truncate(mdia->nalu_out_bs, &sample->data, &sample->dataLength, &sample->alloc_size); - + mdia->in_nalu_rewrite = GF_FALSE; return GF_OK; } } @@ -693,6 +717,7 @@ GF_Err gf_isom_nalu_sample_rewrite(GF_MediaBox *mdia, GF_ISOSample *sample, u32 } gf_bs_write_data(mdia->nalu_out_bs, mdia->in_sample_buffer, sample->dataLength); gf_bs_get_content_no_truncate(mdia->nalu_out_bs, &sample->data, &sample->dataLength, &sample->alloc_size); + mdia->in_nalu_rewrite = GF_FALSE; return GF_OK; } @@ -770,6 +795,7 @@ GF_Err gf_isom_nalu_sample_rewrite(GF_MediaBox *mdia, GF_ISOSample *sample, u32 if (check_cra_bla && !sample->IsRAP) { sample->IsRAP = sap_type_from_nal_type(nal_type); if (sei_suffix_bs) gf_bs_del(sei_suffix_bs); + mdia->in_nalu_rewrite = GF_FALSE; return gf_isom_nalu_sample_rewrite(mdia, sample, sampleNumber, entry); } default: @@ -852,6 +878,7 @@ exit: if (sei_suffix_bs) gf_bs_del(sei_suffix_bs); + mdia->in_nalu_rewrite = GF_FALSE; return e; } diff --git a/src/media_tools/isom_tools.c b/src/media_tools/isom_tools.c index fbdd0c7..ebc998a 100644 --- a/src/media_tools/isom_tools.c +++ b/src/media_tools/isom_tools.c @@ -3225,6 +3225,10 @@ GF_Err gf_media_split_hevc_tiles(GF_ISOFile *file, u32 signal_mode) u32 size, nb_nalus=0, nb_nal_entries=0, last_tile_group=(u32) -1; GF_BitStream *bs=NULL; GF_ISOSample *sample = gf_isom_get_sample(file, track, i+1, &di); + if (!sample) { + e = gf_isom_last_error(file); + goto err_exit; + } data = (u8 *) sample->data; size = sample->dataLength; -- 2.30.2