From 5f5a3bea41849286d8431e558367bbf97368c613 Mon Sep 17 00:00:00 2001
From: Reinhard Tartler <siretart@tauware.de>
Date: Fri, 12 Apr 2019 21:23:57 -0400
Subject: [PATCH] Prepare new upload

* Bug fix: "CVE-2019-11222: Buffer-overflow in gf_bin128_parse", thanks
  to Salvatore Bonaccorso (Closes: #926961).
* Bug fix: "CVE-2019-11221: buffer-overflow issue in gf_import_message()
  in media_import.c", thanks to Salvatore Bonaccorso (Closes: #926963).
---
 debian/changelog                    |  10 ++
 debian/patches/CVE-2019-11221.patch | 180 ++++++++++++++++++++++++++++
 debian/patches/CVE-2019-11222.patch |  25 ++++
 debian/patches/series               |   2 +
 4 files changed, 217 insertions(+)
 create mode 100644 debian/patches/CVE-2019-11221.patch
 create mode 100644 debian/patches/CVE-2019-11222.patch

diff --git a/debian/changelog b/debian/changelog
index b69356a..dc7f655 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,13 @@
+gpac (0.5.2-426-gc5ad4e4+dfsg5-5) unstable; urgency=medium
+
+  [ Moritz Muehlenhoff ]
+  * Bug fix: "CVE-2019-11222: Buffer-overflow in gf_bin128_parse", thanks
+    to Salvatore Bonaccorso (Closes: #926961).
+  * Bug fix: "CVE-2019-11221: buffer-overflow issue in gf_import_message()
+    in media_import.c", thanks to Salvatore Bonaccorso (Closes: #926963).
+
+ -- Reinhard Tartler <siretart@x1.int.tauware.de>  Fri, 12 Apr 2019 21:20:04 -0400
+
 gpac (0.5.2-426-gc5ad4e4+dfsg5-4.1) unstable; urgency=medium
 
   * CVE-2018-7752 (Closes: #892526)
diff --git a/debian/patches/CVE-2019-11221.patch b/debian/patches/CVE-2019-11221.patch
new file mode 100644
index 0000000..3ad8347
--- /dev/null
+++ b/debian/patches/CVE-2019-11221.patch
@@ -0,0 +1,180 @@
+From f4616202e5578e65746cf7e7ceeba63bee1b094b Mon Sep 17 00:00:00 2001
+From: Aurelien David <aurelien.david@telecom-paristech.fr>
+Date: Thu, 11 Apr 2019 14:18:58 +0200
+Subject: [PATCH] fix a bunch of vsprintf -> vsnprintf
+
+closes #1203
+---
+ applications/mp4client/main.c         |  2 +-
+ applications/osmo4_sym/osmo4_view.cpp |  2 +-
+ src/media_tools/media_export.c        |  2 +-
+ src/media_tools/media_import.c        |  2 +-
+ src/scene_manager/loader_bt.c         |  4 ++--
+ src/scene_manager/loader_isom.c       |  2 +-
+ src/scene_manager/loader_qt.c         |  2 +-
+ src/scene_manager/loader_svg.c        |  8 ++++----
+ src/scene_manager/loader_xmt.c        | 14 +++++++-------
+ src/scene_manager/swf_parse.c         |  6 +++---
+ src/scene_manager/swf_svg.c           |  2 +-
+ src/scenegraph/xbl_process.c          |  2 +-
+ src/utils/alloc.c                     |  2 +-
+ src/utils/xml_parser.c                | 24 +++++++++++++-----------
+ 15 files changed, 49 insertions(+), 47 deletions(-)
+
+--- a/applications/mp4client/main.c
++++ b/applications/mp4client/main.c
+@@ -1023,7 +1023,7 @@ static void on_gpac_log(void *cbk, u32 l
+ 
+ 	if (rti_logs && (lm & GF_LOG_RTI)) {
+ 		char szMsg[2048];
+-		vsprintf(szMsg, fmt, list);
++		vsnprintf(szMsg, 2048, fmt, list);
+ 		UpdateRTInfo(szMsg + 6 /*"[RTI] "*/);
+ 	} else {
+ 		if (log_time_start) {
+--- a/src/media_tools/media_export.c
++++ b/src/media_tools/media_export.c
+@@ -57,7 +57,7 @@ static GF_Err gf_export_message(GF_Media
+ 		va_list args;
+ 		char szMsg[1024];
+ 		va_start(args, format);
+-		vsprintf(szMsg, format, args);
++		vsnprintf(szMsg, 1024, format, args);
+ 		va_end(args);
+ 		GF_LOG((u32) (e ? GF_LOG_ERROR : GF_LOG_WARNING), GF_LOG_AUTHOR, ("%s\n", szMsg) );
+ 	}
+--- a/src/media_tools/media_import.c
++++ b/src/media_tools/media_import.c
+@@ -50,7 +50,7 @@ GF_Err gf_import_message(GF_MediaImporte
+ 		va_list args;
+ 		char szMsg[1024];
+ 		va_start(args, format);
+-		vsprintf(szMsg, format, args);
++		vsnprintf(szMsg, 1024, format, args);
+ 		va_end(args);
+ 		GF_LOG((u32) (e ? GF_LOG_WARNING : GF_LOG_INFO), GF_LOG_AUTHOR, ("%s\n", szMsg) );
+ 	}
+--- a/src/scene_manager/loader_bt.c
++++ b/src/scene_manager/loader_bt.c
+@@ -121,7 +121,7 @@ static GF_Err gf_bt_report(GF_BTParser *
+ 		char szMsg[2048];
+ 		va_list args;
+ 		va_start(args, format);
+-		vsprintf(szMsg, format, args);
++		vsnprintf(szMsg, 2048, format, args);
+ 		va_end(args);
+ 		GF_LOG((u32) (e ? GF_LOG_ERROR : GF_LOG_WARNING), GF_LOG_PARSER, ("[BT/WRL Parsing] %s (line %d)\n", szMsg, parser->line));
+ 	}
+--- a/src/scene_manager/loader_isom.c
++++ b/src/scene_manager/loader_isom.c
+@@ -144,7 +144,7 @@ static void mp4_report(GF_SceneLoader *l
+ 		char szMsg[1024];
+ 		va_list args;
+ 		va_start(args, format);
+-		vsprintf(szMsg, format, args);
++		vsnprintf(szMsg, 1024, format, args);
+ 		va_end(args);
+ 		GF_LOG((u32) (e ? GF_LOG_ERROR : GF_LOG_WARNING), GF_LOG_PARSER, ("[MP4 Loading] %s\n", szMsg) );
+ 	}
+--- a/src/scene_manager/loader_qt.c
++++ b/src/scene_manager/loader_qt.c
+@@ -40,7 +40,7 @@ static GF_Err gf_qt_report(GF_SceneLoade
+ 		char szMsg[1024];
+ 		va_list args;
+ 		va_start(args, format);
+-		vsprintf(szMsg, format, args);
++		vsnprintf(szMsg, 1024, format, args);
+ 		va_end(args);
+ 		GF_LOG((u32) (e ? GF_LOG_ERROR : GF_LOG_WARNING), GF_LOG_PARSER, ("[QT Parsing] %s\n", szMsg) );
+ 	}
+--- a/src/scene_manager/loader_svg.c
++++ b/src/scene_manager/loader_svg.c
+@@ -134,7 +134,7 @@ static GF_Err svg_report(GF_SVG_Parser *
+ 		char szMsg[2048];
+ 		va_list args;
+ 		va_start(args, format);
+-		vsprintf(szMsg, format, args);
++		vsnprintf(szMsg, 2048, format, args);
+ 		va_end(args);
+ 		GF_LOG((u32) (e ? GF_LOG_ERROR : GF_LOG_WARNING), GF_LOG_PARSER, ("[SVG Parsing] line %d - %s\n", gf_xml_sax_get_line(parser->sax_parser), szMsg));
+ 	}
+--- a/src/scene_manager/loader_xmt.c
++++ b/src/scene_manager/loader_xmt.c
+@@ -144,7 +144,7 @@ static GF_Err xmt_report(GF_XMTParser *p
+ 		char szMsg[2048];
+ 		va_list args;
+ 		va_start(args, format);
+-		vsprintf(szMsg, format, args);
++		vsnprintf(szMsg, 2048, format, args);
+ 		va_end(args);
+ 		GF_LOG((u32) (e ? GF_LOG_ERROR : GF_LOG_WARNING), GF_LOG_PARSER, ("[XMT Parsing] %s (line %d)\n", szMsg, gf_xml_sax_get_line(parser->sax_parser)) );
+ 	}
+--- a/src/scene_manager/swf_parse.c
++++ b/src/scene_manager/swf_parse.c
+@@ -2410,7 +2410,7 @@ void swf_report(SWFReader *read, GF_Err
+ 		char szMsg[2048];
+ 		va_list args;
+ 		va_start(args, format);
+-		vsprintf(szMsg, format, args);
++		vsnprintf(szMsg, 2048, format, args);
+ 		va_end(args);
+ 		GF_LOG((u32) (e ? GF_LOG_ERROR : GF_LOG_WARNING), GF_LOG_PARSER, ("[SWF Parsing] %s (frame %d)\n", szMsg, read->current_frame+1) );
+ 	}
+--- a/src/scene_manager/swf_svg.c
++++ b/src/scene_manager/swf_svg.c
+@@ -51,7 +51,7 @@ static void swf_svg_print(SWFReader *rea
+ 
+ 	/* print the line */
+ 	va_start(args, format);
+-	vsprintf(line, format, args);
++	vsnprintf(line, 2000, format, args);
+ 	va_end(args);
+ 	/* add the line to the buffer */
+ 	line_length = (u32)strlen(line);
+--- a/src/scenegraph/xbl_process.c
++++ b/src/scenegraph/xbl_process.c
+@@ -61,7 +61,7 @@ static GF_Err xbl_parse_report(GF_XBL_Pa
+ 		char szMsg[2048];
+ 		va_list args;
+ 		va_start(args, format);
+-		vsprintf(szMsg, format, args);
++		vsnprintf(szMsg, 2048, format, args);
+ 		va_end(args);
+ 		GF_LOG((u32) (e ? GF_LOG_ERROR : GF_LOG_WARNING), GF_LOG_PARSER, ("[XBL Parsing] line %d - %s\n", gf_xml_sax_get_line(parser->sax_parser), szMsg));
+ 	}
+--- a/src/utils/alloc.c
++++ b/src/utils/alloc.c
+@@ -658,7 +658,7 @@ static void gf_memory_log(unsigned int l
+ 	char msg[1024];
+ 	assert(strlen(fmt) < 200);
+ 	va_start(vl, fmt);
+-	vsprintf(msg, fmt, vl);
++	vsnprintf(msg, 1024, fmt, vl);
+ 	GF_LOG(level, GF_LOG_MEMORY, (msg));
+ 	va_end(vl);
+ }
+--- a/src/utils/xml_parser.c
++++ b/src/utils/xml_parser.c
+@@ -218,14 +218,16 @@ static void format_sax_error(GF_SAXParse
+ 	char szM[20];
+ 
+ 	va_start(args, fmt);
+-	vsprintf(parser->err_msg, fmt, args);
++	vsnprintf(parser->err_msg, ARRAY_LENGTH(parser->err_msg), fmt, args);
+ 	va_end(args);
+ 
+-	sprintf(szM, " - Line %d: ", parser->line + 1);
+-	strcat(parser->err_msg, szM);
+-	len = (u32) strlen(parser->err_msg);
+-	strncpy(parser->err_msg + len, parser->buffer+ (linepos ? linepos : parser->current_pos), 10);
+-	parser->err_msg[len + 10] = 0;
++	if (strlen(parser->err_msg)+30 < ARRAY_LENGTH(parser->err_msg)) {
++		snprintf(szM, 20, " - Line %d: ", parser->line + 1);
++		strcat(parser->err_msg, szM);
++		len = (u32) strlen(parser->err_msg);
++		strncpy(parser->err_msg + len, parser->buffer+ (linepos ? linepos : parser->current_pos), 10);
++		parser->err_msg[len + 10] = 0;
++	}
+ 	parser->sax_state = SAX_STATE_SYNTAX_ERROR;
+ }
+ 
diff --git a/debian/patches/CVE-2019-11222.patch b/debian/patches/CVE-2019-11222.patch
new file mode 100644
index 0000000..3d1698b
--- /dev/null
+++ b/debian/patches/CVE-2019-11222.patch
@@ -0,0 +1,25 @@
+From f36525c5beafb78959c3a07d6622c9028de348da Mon Sep 17 00:00:00 2001
+From: Aurelien David <aurelien.david@telecom-paristech.fr>
+Date: Thu, 11 Apr 2019 14:54:53 +0200
+Subject: [PATCH] fix buffer overrun in gf_bin128_parse
+
+closes #1204
+closes #1205
+---
+ src/utils/os_divers.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/src/utils/os_divers.c
++++ b/src/utils/os_divers.c
+@@ -1958,6 +1958,11 @@ GF_Err gf_bin128_parse(char *string, bin
+ 			sscanf(szV, "%x", &v);
+ 			value[i] = v;
+ 			i++;
++			if (i > 15) {
++				// force error check below
++				i++;
++				break;
++			}
+ 		}
+ 	}
+ 	if (i != 16) {
diff --git a/debian/patches/series b/debian/patches/series
index 536659f..8cb3a0a 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -11,3 +11,5 @@ CVE-2018-13005_CVE-2018-13006.patch
 CVE-2018-20760.patch
 CVE-2018-20761_CVE-2018-20762.patch
 CVE-2018-20763.patch
+CVE-2019-11221.patch
+CVE-2019-11222.patch
-- 
2.30.2