From 79c4529c122c980e65f00941121376e2cbfe9ca9 Mon Sep 17 00:00:00 2001
From: jeanlf <jeanlf@gpac.io>
Date: Fri, 4 Nov 2022 09:18:47 +0100
Subject: [PATCH] [PATCH] fixed #2294

Gbp-Pq: Name CVE-2022-45202.patch
---
 src/isomedia/box_code_3gpp.c | 22 ++++++++++++++++++----
 1 file changed, 18 insertions(+), 4 deletions(-)

diff --git a/src/isomedia/box_code_3gpp.c b/src/isomedia/box_code_3gpp.c
index 9faddb2..0e8681c 100644
--- a/src/isomedia/box_code_3gpp.c
+++ b/src/isomedia/box_code_3gpp.c
@@ -1025,8 +1025,7 @@ void dimC_box_del(GF_Box *s)
 
 GF_Err dimC_box_read(GF_Box *s, GF_BitStream *bs)
 {
-	char str[1024];
-	u32 i;
+	u32 i, msize;
 	GF_DIMSSceneConfigBox *p = (GF_DIMSSceneConfigBox *)s;
 
 	ISOM_DECREASE_SIZE(p, 3);
@@ -1037,27 +1036,42 @@ GF_Err dimC_box_read(GF_Box *s, GF_BitStream *bs)
 	p->streamType = gf_bs_read_int(bs, 1);
 	p->containsRedundant = gf_bs_read_int(bs, 2);
 
+	char *str = gf_malloc(sizeof(char)*(p->size+1));
+	if (!str) return GF_OUT_OF_MEM;
+	msize = p->size;
+	str[msize] = 0;
 	i=0;
 	str[0]=0;
-	while (i < GF_ARRAY_LENGTH(str)) {
+	while (i < msize) {
 		str[i] = gf_bs_read_u8(bs);
 		if (!str[i]) break;
 		i++;
 	}
 	ISOM_DECREASE_SIZE(p, i);
+	if (i == msize) {
+		gf_free(str);
+		return GF_ISOM_INVALID_FILE;
+	}
 
 	p->textEncoding = gf_strdup(str);
 
 	i=0;
 	str[0]=0;
-	while (i < GF_ARRAY_LENGTH(str)) {
+	while (i < msize) {
 		str[i] = gf_bs_read_u8(bs);
 		if (!str[i]) break;
 		i++;
 	}
 	ISOM_DECREASE_SIZE(p, i);
+	if (i == msize) {
+		gf_free(str);
+		return GF_ISOM_INVALID_FILE;
+	}
 
 	p->contentEncoding = gf_strdup(str);
+	gf_free(str);
+	if (p->textEncoding || !p->contentEncoding)
+		return GF_OUT_OF_MEM;
 	return GF_OK;
 }
 
-- 
2.30.2