From 3d1ff1b350fd48d30ac126da185f1f8acc1e4cfa Mon Sep 17 00:00:00 2001
From: jeanlf <jeanlf@gpac.io>
Date: Thu, 10 Mar 2022 15:43:11 +0100
Subject: [PATCH] [PATCH] fixed #2138

Gbp-Pq: Name CVE-2022-26967_partial.patch
---
 include/gpac/base_coding.h       |  4 ++--
 src/filters/dasher.c             |  4 ++--
 src/filters/write_nhml.c         |  4 ++--
 src/isomedia/box_dump.c          |  4 ++--
 src/jsmods/core.c                |  7 ++++---
 src/media_tools/crypt_tools.c    |  2 +-
 src/media_tools/media_export.c   | 12 +++++-------
 src/scene_manager/loader_svg.c   |  8 ++++----
 src/scene_manager/scene_dump.c   |  6 +++---
 src/scene_manager/scene_engine.c |  5 +++--
 src/utils/base_encoding.c        |  6 +++---
 11 files changed, 31 insertions(+), 31 deletions(-)

diff --git a/include/gpac/base_coding.h b/include/gpac/base_coding.h
index 6dd73ab..3a749b9 100644
--- a/include/gpac/base_coding.h
+++ b/include/gpac/base_coding.h
@@ -56,7 +56,7 @@ Encodes a data buffer to Base64
 \param in_buffer_size input data buffer size
 \param out_buffer output Base64 buffer location
 \param out_buffer_size output Base64 buffer allocated size
-\return size of the encoded Base64 buffer
+\return size of the encoded Base64 buffer, 0 if error
 \note the encoded data buffer is not NULL-terminated.
  */
 u32 gf_base64_encode(const u8 *in_buffer, u32 in_buffer_size, u8 *out_buffer, u32 out_buffer_size);
@@ -80,7 +80,7 @@ Encodes a data buffer to Base16
 \param in_buffer_size input data buffer size
 \param out_buffer output Base16 buffer location
 \param out_buffer_size output Base16 buffer allocated size
-\return size of the encoded Base16 buffer
+\return size of the encoded Base16 buffer, 0 if error
 \note the encoded data buffer is not NULL-terminated.
  */
 u32 gf_base16_encode(u8 *in_buffer, u32 in_buffer_size, u8 *out_buffer, u32 out_buffer_size);
diff --git a/src/filters/dasher.c b/src/filters/dasher.c
index b4c89cc..5808fa7 100644
--- a/src/filters/dasher.c
+++ b/src/filters/dasher.c
@@ -1627,8 +1627,8 @@ static GF_List *dasher_get_content_protection_desc(GF_DasherCtx *ctx, GF_DashStr
 						pnode->type = GF_XML_TEXT_TYPE;
 						gf_list_add(node->content, pnode);
 
-						size_64 = 2*pssh_len;
-						pnode->name = gf_malloc(size_64);
+						size_64 = 2*pssh_len + 3;
+						pnode->name = gf_malloc(sizeof(char) * size_64);
 						if (pnode->name) {
 							size_64 = gf_base64_encode((const char *)pssh_data, pssh_len, (char *)pnode->name, size_64);
 							pnode->name[size_64] = 0;
diff --git a/src/filters/write_nhml.c b/src/filters/write_nhml.c
index 6ea26cf..ac79113 100644
--- a/src/filters/write_nhml.c
+++ b/src/filters/write_nhml.c
@@ -760,8 +760,8 @@ static void nhmldump_send_frame(GF_NHMLDumpCtx *ctx, char *data, u32 data_size,
 					gf_bs_write_data(ctx->bs_w, nhml, (u32) strlen(nhml));
 				} else {
 					u32 d_size;
-					if (ctx->b64_buffer_size<2*s_size) {
-						ctx->b64_buffer_size = 2 * s_size;
+					if (ctx->b64_buffer_size < 2*s_size + 3) {
+						ctx->b64_buffer_size = 2 * s_size + 3;
 						ctx->b64_buffer = gf_realloc(ctx->b64_buffer, ctx->b64_buffer_size);
 					}
 					d_size = gf_base64_encode(data + offset_in_sample, s_size, ctx->b64_buffer, ctx->b64_buffer_size);
diff --git a/src/isomedia/box_dump.c b/src/isomedia/box_dump.c
index b6f253a..3078d28 100644
--- a/src/isomedia/box_dump.c
+++ b/src/isomedia/box_dump.c
@@ -5089,8 +5089,8 @@ GF_Err colr_box_dump(GF_Box *a, FILE * trace)
 			gf_fprintf(trace, "colour_type=\"%s\">\n", gf_4cc_to_str(ptr->colour_type));
 			if (ptr->opaque != NULL) {
 				gf_fprintf(trace, "<profile><![CDATA[");
-				size_64 = 2*ptr->opaque_size;
-				prof_data_64 = gf_malloc(size_64);
+				size_64 = 2*ptr->opaque_size+3;
+				prof_data_64 = gf_malloc(sizeof(char) * size_64);
 				size_64 = gf_base64_encode((const char *) ptr->opaque, ptr->opaque_size, (char *)prof_data_64, size_64);
 				prof_data_64[size_64] = 0;
 				gf_fprintf(trace, "%s", prof_data_64);
diff --git a/src/jsmods/core.c b/src/jsmods/core.c
index fb1f119..7e06f75 100644
--- a/src/jsmods/core.c
+++ b/src/jsmods/core.c
@@ -1361,14 +1361,15 @@ static JSValue js_sys_basecode_ex(JSContext *ctx, JSValueConst this_val, int arg
 		size_t data_size;
 		data = JS_GetArrayBuffer(ctx, &data_size, argv[0] );
 		if (!data) return JS_EXCEPTION;
-		out_ptr = gf_malloc(sizeof(u8) * (1 + data_size * 2) );
+                u32 size64 = (u32) data_size * 2 + 3;
+                out_ptr = gf_malloc(sizeof(char) * size64);
 		if (!out_ptr) {
 			e = GF_OUT_OF_MEM;
 		} else if (is_16) {
-			out_size = gf_base16_encode((u8*) data, (u32) data_size, out_ptr, 1 + (u32) data_size * 2);
+                        out_size = gf_base16_encode((u8*) data, (u32) data_size, out_ptr, size64);
 			e = out_size ? GF_OK : GF_NON_COMPLIANT_BITSTREAM;
 		} else {
-			out_size = gf_base64_encode((u8*) data, (u32) data_size, out_ptr, 1 + (u32) data_size * 2);
+                        out_size = gf_base64_encode((u8*) data, (u32) data_size, out_ptr, size64);
 			e = out_size ? GF_OK : GF_NON_COMPLIANT_BITSTREAM;
 		}
 	}
diff --git a/src/media_tools/crypt_tools.c b/src/media_tools/crypt_tools.c
index 0739baf..3cf8910 100644
--- a/src/media_tools/crypt_tools.c
+++ b/src/media_tools/crypt_tools.c
@@ -240,7 +240,7 @@ static void cryptinfo_node_start(void *sax_cbck, const char *node_name, const ch
 				}
 			}
 			else if (!stricmp(att->name, "metadata")) {
-				u32 l = 2 * (u32) strlen(att->value);
+				u32 l = 2 * (u32) strlen(att->value) + 3;
 				tkc->metadata = gf_malloc(sizeof(char) * l);
 				l = gf_base64_encode(att->value, (u32) strlen(att->value), tkc->metadata, l);
 				tkc->metadata[l] = 0;
diff --git a/src/media_tools/media_export.c b/src/media_tools/media_export.c
index 0fa7388..18e903a 100644
--- a/src/media_tools/media_export.c
+++ b/src/media_tools/media_export.c
@@ -800,14 +800,12 @@ GF_Err gf_media_export_webvtt_metadata(GF_MediaExporter *dumper)
 				samp->data[samp->dataLength] = 0;
 				gf_fprintf(vtt, "%s\n", samp->data);
 			} else {
-				u32 b64_size;
+				u32 b64_size = samp->dataLength*2 + 3;
 				char *b64;
-				b64 = (char *)gf_malloc(samp->dataLength*3);
-				b64_size = gf_base64_encode(samp->data, samp->dataLength, b64, samp->dataLength*3);
-				if (b64_size != (u32)-1) {
-					b64[b64_size] = 0;
-					gf_fprintf(vtt, "%s\n", b64);
-				}
+				b64 = (char *)gf_malloc(sizeof(char)*b64_size);
+				b64_size = gf_base64_encode(samp->data, samp->dataLength, b64, b64_size);
+				b64[b64_size] = 0;
+				gf_fprintf(vtt, "%s\n", b64);
 				gf_free(b64);
 			}
 		}
diff --git a/src/scene_manager/loader_svg.c b/src/scene_manager/loader_svg.c
index c39b5d6..e14e6ef 100644
--- a/src/scene_manager/loader_svg.c
+++ b/src/scene_manager/loader_svg.c
@@ -2,7 +2,7 @@
  *			GPAC - Multimedia Framework C SDK
  *
  *			Authors: Jean Le Feuvre, Cyril Concolato
- *			Copyright (c) Telecom ParisTech 2000-2012
+ *			Copyright (c) Telecom ParisTech 2000-2022
  *					All rights reserved
  *
  *  This file is part of GPAC / Scene Management sub-project
@@ -259,10 +259,10 @@ static void svg_process_media_href(GF_SVG_Parser *parser, GF_Node *elt, XMLRI *i
 		} else {
 			char *mtype;
 			char *buf64;
-			u64 size64;
+			u32 size64 = size*2 + 3;
 			char *ext;
-			buf64 = (char *)gf_malloc((size_t)size*2);
-			size64 = gf_base64_encode(buffer, (u32)size, buf64, (u32)size*2);
+			buf64 = (char *)gf_malloc(sizeof(char) * size64);
+			size64 = gf_base64_encode(buffer, (u32)size, buf64, size64);
 			buf64[size64] = 0;
 			mtype = "application/data";
 			ext = strchr(iri->string, '.');
diff --git a/src/scene_manager/scene_dump.c b/src/scene_manager/scene_dump.c
index c0194a8..73e537b 100644
--- a/src/scene_manager/scene_dump.c
+++ b/src/scene_manager/scene_dump.c
@@ -2,7 +2,7 @@
  *			GPAC - Multimedia Framework C SDK
  *
  *			Authors: Jean Le Feuvre
- *			Copyright (c) Telecom ParisTech 2000-2012
+ *			Copyright (c) Telecom ParisTech 2000-2022
  *					All rights reserved
  *
  *  This file is part of GPAC / Scene Management sub-project
@@ -649,8 +649,8 @@ static void gf_dump_vrml_sffield(GF_SceneDumper *sdump, u32 type, void *ptr, Boo
 		str = ((SFString *)ptr)->buffer;
 
 		if (node && (gf_node_get_tag(node)==TAG_MPEG4_BitWrapper)) {
-			u32 bufsize = 50+ ((M_BitWrapper*)node)->buffer_len * 2;
-			str = gf_malloc(sizeof(char)* bufsize);
+			u32 bufsize = 37 + ((M_BitWrapper*)node)->buffer_len * 2 + 3;
+			str = gf_malloc(sizeof(char) * bufsize);
 			if (str) {
 				s32 res;
 				strcpy(str, "data:application/octet-string;base64,");
diff --git a/src/scene_manager/scene_engine.c b/src/scene_manager/scene_engine.c
index 2cbc4bd..6be1de7 100644
--- a/src/scene_manager/scene_engine.c
+++ b/src/scene_manager/scene_engine.c
@@ -1105,8 +1105,9 @@ char *gf_seng_get_base64_iod(GF_SceneEngine *seng)
 
 	size = 0;
 	gf_odf_desc_write((GF_Descriptor *) seng->ctx->root_od, &buffer, &size);
-	buf64 = gf_malloc(size*2);
-	size64 = gf_base64_encode( buffer, size, buf64, size*2);
+	size64 = size*2 + 3;
+	buf64 = gf_malloc(sizeof(char) * size64);
+	size64 = gf_base64_encode( buffer, size, buf64, size64);
 	buf64[size64] = 0;
 	gf_free(buffer);
 	return buf64;
diff --git a/src/utils/base_encoding.c b/src/utils/base_encoding.c
index 5fab8bb..9cfc894 100644
--- a/src/utils/base_encoding.c
+++ b/src/utils/base_encoding.c
@@ -42,6 +42,8 @@ u32 gf_base64_encode(const u8 *_in, u32 inSize, u8 *_out, u32 outSize)
 
 	while (i < inSize) {
 		padding = 3 - (inSize - i);
+		if (j+4>=outSize)
+			return 0;
 		if (padding == 2) {
 			out[j] = base_64[in[i]>>2];
 			out[j+1] = base_64[(in[i] & 0x03) << 4];
@@ -147,14 +149,12 @@ u32 gf_base16_encode(u8 *_in, u32 inSize, u8 *_out, u32 outSize)
 	unsigned char *in = (unsigned char *)_in;
 	unsigned char *out = (unsigned char *)_out;
 
-	if (outSize < (inSize * 2)+1) return 0;
+	if (outSize < (inSize * 2)) return 0;
 
 	for (i=0; i<inSize; i++) {
 		out[2*i] = base_16[((in[i] & 0xf0) >> 4)];
 		out[2*i+1] = base_16[(in[i] & 0x0f)];
 	}
-	out[(inSize * 2)] = 0;
-
 	return inSize * 2;
 }
 
-- 
2.30.2