From b5a827937bc1536943ad11dac57cefb5487ac877 Mon Sep 17 00:00:00 2001 From: Sebastian Ramacher Date: Fri, 25 Feb 2022 00:01:25 +0100 Subject: [PATCH] Remove upstream patches --- debian/patches/CVE-2020-35979.patch | 28 ---- debian/patches/CVE-2020-35981.patch | 28 ---- debian/patches/CVE-2020-35982.patch | 22 --- debian/patches/CVE-2021-28300.patch | 20 --- debian/patches/CVE-2021-29279.patch | 58 ------- ...-30014_CVE-2021-30020_CVE-2021-30022.patch | 67 -------- debian/patches/CVE-2021-30015.patch | 21 --- debian/patches/CVE-2021-30019.patch | 24 --- debian/patches/CVE-2021-30199.patch | 35 ---- debian/patches/CVE-2021-31255.patch | 123 -------------- debian/patches/CVE-2021-31256.patch | 27 ---- debian/patches/CVE-2021-31257.patch | 20 --- debian/patches/CVE-2021-31258.patch | 71 -------- debian/patches/CVE-2021-31260.patch | 36 ----- debian/patches/CVE-2021-31261.patch | 24 --- debian/patches/CVE-2021-31262.patch | 39 ----- debian/patches/series | 19 --- debian/patches/talos-2021-1297.patch | 152 ------------------ debian/patches/talos-2021-1298.patch | 57 ------- debian/patches/talos-2021-1299.patch | 75 --------- 20 files changed, 946 deletions(-) delete mode 100644 debian/patches/CVE-2020-35979.patch delete mode 100644 debian/patches/CVE-2020-35981.patch delete mode 100644 debian/patches/CVE-2020-35982.patch delete mode 100644 debian/patches/CVE-2021-28300.patch delete mode 100644 debian/patches/CVE-2021-29279.patch delete mode 100644 debian/patches/CVE-2021-30014_CVE-2021-30020_CVE-2021-30022.patch delete mode 100644 debian/patches/CVE-2021-30015.patch delete mode 100644 debian/patches/CVE-2021-30019.patch delete mode 100644 debian/patches/CVE-2021-30199.patch delete mode 100644 debian/patches/CVE-2021-31255.patch delete mode 100644 debian/patches/CVE-2021-31256.patch delete mode 100644 debian/patches/CVE-2021-31257.patch delete mode 100644 debian/patches/CVE-2021-31258.patch delete mode 100644 debian/patches/CVE-2021-31260.patch delete mode 100644 debian/patches/CVE-2021-31261.patch delete mode 100644 debian/patches/CVE-2021-31262.patch delete mode 100644 debian/patches/talos-2021-1297.patch delete mode 100644 debian/patches/talos-2021-1298.patch delete mode 100644 debian/patches/talos-2021-1299.patch diff --git a/debian/patches/CVE-2020-35979.patch b/debian/patches/CVE-2020-35979.patch deleted file mode 100644 index 0c5bb10..0000000 --- a/debian/patches/CVE-2020-35979.patch +++ /dev/null @@ -1,28 +0,0 @@ -From b15020f54aff24aaeb64b80771472be8e64a7adc Mon Sep 17 00:00:00 2001 -From: jeanlf -Date: Mon, 4 Jan 2021 11:24:26 +0100 -Subject: [PATCH] fixed #1662 - ---- - src/media_tools/isom_hinter.c | 8 ++++++-- - 1 file changed, 6 insertions(+), 2 deletions(-) - -diff --git a/src/media_tools/isom_hinter.c b/src/media_tools/isom_hinter.c -index 8af1d04b7f..2d05934f6d 100644 ---- a/src/media_tools/isom_hinter.c -+++ b/src/media_tools/isom_hinter.c -@@ -793,8 +793,12 @@ GF_Err gf_hinter_track_process(GF_RTPHinter *tkHint) - } - remain -= size; - tkHint->rtp_p->sl_header.accessUnitEndFlag = remain ? 0 : 1; -- e = gf_rtp_builder_process(tkHint->rtp_p, ptr, size, (u8) !remain, samp->dataLength, duration, (u8) (descIndex + GF_RTP_TX3G_SIDX_OFFSET) ); -- ptr += size; -+ if (!size) { -+ GF_LOG(GF_LOG_WARNING, GF_LOG_RTP, ("[rtp hinter] Broken AVC nalu encapsulation: NALU size is 0, ignoring it\n", size)); -+ } else { -+ e = gf_rtp_builder_process(tkHint->rtp_p, ptr, size, (u8) !remain, samp->dataLength, duration, (u8) (descIndex + GF_RTP_TX3G_SIDX_OFFSET) ); -+ ptr += size; -+ } - tkHint->rtp_p->sl_header.accessUnitStartFlag = 0; - } - } else { diff --git a/debian/patches/CVE-2020-35981.patch b/debian/patches/CVE-2020-35981.patch deleted file mode 100644 index c9e2e57..0000000 --- a/debian/patches/CVE-2020-35981.patch +++ /dev/null @@ -1,28 +0,0 @@ -From dae9900580a8888969481cd72035408091edb11b Mon Sep 17 00:00:00 2001 -From: jeanlf -Date: Mon, 4 Jan 2021 11:06:52 +0100 -Subject: [PATCH] fixed #1659 - ---- - src/isomedia/isom_store.c | 6 ++++++ - 1 file changed, 6 insertions(+) - -diff --git a/src/isomedia/isom_store.c b/src/isomedia/isom_store.c -index 37dfbe55a9..ee2b2cfaf2 100644 ---- a/src/isomedia/isom_store.c -+++ b/src/isomedia/isom_store.c -@@ -150,8 +150,14 @@ GF_Err SetupWriters(MovieWriter *mw, GF_List *writers, u8 interleaving) - - trackCount = gf_list_count(movie->moov->trackList); - for (i = 0; i < trackCount; i++) { -+ GF_SampleTableBox *stbl; - trak = gf_isom_get_track(movie->moov, i+1); - -+ stbl = (trak->Media && trak->Media->information) ? trak->Media->information->sampleTable : NULL; -+ if (!stbl || !stbl->SampleSize || !stbl->ChunkOffset || !stbl->SampleToChunk) { -+ return GF_ISOM_INVALID_FILE; -+ } -+ - GF_SAFEALLOC(writer, TrackWriter); - if (!writer) goto exit; - writer->sampleNumber = 1; diff --git a/debian/patches/CVE-2020-35982.patch b/debian/patches/CVE-2020-35982.patch deleted file mode 100644 index 8269076..0000000 --- a/debian/patches/CVE-2020-35982.patch +++ /dev/null @@ -1,22 +0,0 @@ -From a4eb327049132359cae54b59faec9e2f14c5a619 Mon Sep 17 00:00:00 2001 -From: jeanlf -Date: Mon, 4 Jan 2021 11:10:48 +0100 -Subject: [PATCH] fixed #1660 - ---- - src/media_tools/isom_hinter.c | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/src/media_tools/isom_hinter.c b/src/media_tools/isom_hinter.c -index 5bf89cb5ca..8af1d04b7f 100644 ---- a/src/media_tools/isom_hinter.c -+++ b/src/media_tools/isom_hinter.c -@@ -967,6 +967,8 @@ GF_Err gf_hinter_track_finalize(GF_RTPHinter *tkHint, Bool AddSystemInfo) - if (avcc) { - sprintf(sdpLine, "a=fmtp:%d profile-level-id=%02X%02X%02X; packetization-mode=1", tkHint->rtp_p->PayloadType, avcc->AVCProfileIndication, avcc->profile_compatibility, avcc->AVCLevelIndication); - } else { -+ if (!svcc) -+ return GF_ISOM_INVALID_FILE; - sprintf(sdpLine, "a=fmtp:%d profile-level-id=%02X%02X%02X; packetization-mode=1", tkHint->rtp_p->PayloadType, svcc->AVCProfileIndication, svcc->profile_compatibility, svcc->AVCLevelIndication); - } - diff --git a/debian/patches/CVE-2021-28300.patch b/debian/patches/CVE-2021-28300.patch deleted file mode 100644 index 2e39c52..0000000 --- a/debian/patches/CVE-2021-28300.patch +++ /dev/null @@ -1,20 +0,0 @@ -From c4a5109dad73abe25ad12d8d529a728ae98d78ca Mon Sep 17 00:00:00 2001 -From: jeanlf -Date: Thu, 11 Mar 2021 15:28:56 +0100 -Subject: [PATCH] fixed #1702 - ---- - src/isomedia/track.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - ---- gpac-1.0.1+dfsg1.orig/src/isomedia/track.c -+++ gpac-1.0.1+dfsg1/src/isomedia/track.c -@@ -1019,7 +1019,7 @@ GF_Err MergeTrack(GF_TrackBox *trak, GF_ - break; - } - } -- if (saiz && saio) { -+ if (saiz && saio && senc) { - for (i = 0; i < saiz->sample_count; i++) { - GF_CENCSampleAuxInfo *sai; - diff --git a/debian/patches/CVE-2021-29279.patch b/debian/patches/CVE-2021-29279.patch deleted file mode 100644 index 0ea538a..0000000 --- a/debian/patches/CVE-2021-29279.patch +++ /dev/null @@ -1,58 +0,0 @@ -From da69ad1f970a7e17c865eaec9af98cc84df10d5b Mon Sep 17 00:00:00 2001 -From: jeanlf -Date: Mon, 29 Mar 2021 09:17:40 +0200 -Subject: [PATCH] fixed 1718 - ---- - src/filters/reframe_flac.c | 19 ++++++++++++++++++- - 1 file changed, 18 insertions(+), 1 deletion(-) - ---- gpac-1.0.1+dfsg1.orig/src/filters/reframe_flac.c -+++ gpac-1.0.1+dfsg1/src/filters/reframe_flac.c -@@ -59,6 +59,7 @@ typedef struct - Bool is_playing; - Bool is_file; - Bool initial_play_done, file_loaded; -+ Bool in_error; - - Bool initialized; - u32 sample_rate, nb_channels, bits_per_sample, block_size; -@@ -378,6 +379,9 @@ GF_Err flac_dmx_process(GF_Filter *filte - u64 cts = GF_FILTER_NO_TS; - FLACHeader hdr; - -+ if (ctx->in_error) -+ return GF_NON_COMPLIANT_BITSTREAM; -+ - //always reparse duration - if (!ctx->duration.num) - flac_dmx_check_dur(filter, ctx); -@@ -484,7 +488,12 @@ GF_Err flac_dmx_process(GF_Filter *filte - gf_bs_reassign_buffer(ctx->bs, ctx->flac_buffer, size); - u32 magic = gf_bs_read_u32(ctx->bs); - if (magic != GF_4CC('f','L','a','C')) { -- -+ GF_LOG(GF_LOG_ERROR, GF_LOG_PARSER, ("[FLACDmx] invalid FLAC magic\n")); -+ ctx->in_error = GF_TRUE; -+ ctx->flac_buffer_size = 0; -+ if (pck) -+ gf_filter_pid_drop_packet(ctx->ipid); -+ return GF_NON_COMPLIANT_BITSTREAM; - } - while (gf_bs_available(ctx->bs)) { - Bool last = gf_bs_read_int(ctx->bs, 1); -@@ -514,6 +523,14 @@ GF_Err flac_dmx_process(GF_Filter *filte - } - if (last) break; - } -+ if (!dsi_end) { -+ GF_LOG(GF_LOG_ERROR, GF_LOG_PARSER, ("[FLACDmx] invalid FLAC header\n")); -+ ctx->in_error = GF_TRUE; -+ ctx->flac_buffer_size = 0; -+ if (pck) -+ gf_filter_pid_drop_packet(ctx->ipid); -+ return GF_NON_COMPLIANT_BITSTREAM; -+ } - flac_dmx_check_pid(filter, ctx, ctx->flac_buffer+4, dsi_end-4); - remain -= size; - start += size; diff --git a/debian/patches/CVE-2021-30014_CVE-2021-30020_CVE-2021-30022.patch b/debian/patches/CVE-2021-30014_CVE-2021-30020_CVE-2021-30022.patch deleted file mode 100644 index 42294f2..0000000 --- a/debian/patches/CVE-2021-30014_CVE-2021-30020_CVE-2021-30022.patch +++ /dev/null @@ -1,67 +0,0 @@ -Backport of - -From 51cdb67ff7c5f1242ac58c5aa603ceaf1793b788 Mon Sep 17 00:00:00 2001 -From: jeanlf -Date: Mon, 29 Mar 2021 09:34:02 +0200 -Subject: [PATCH] add safety in avc/hevc/vvc sps/pps/vps ID check - cf #1720 - #1721 #1722 - ---- gpac-1.0.1+dfsg1.orig/src/media_tools/av_parsers.c -+++ gpac-1.0.1+dfsg1/src/media_tools/av_parsers.c -@@ -5012,10 +5012,7 @@ static s32 gf_media_avc_read_sps_bs_inte - by subset SPS. According to the SVC standard, subset SPS can have the same sps_id - than its base layer, but it does not refer to the same SPS. */ - sps_id = gf_bs_get_ue(bs) + GF_SVC_SSPS_ID_SHIFT * subseq_sps; -- if (sps_id >= 32) { -- return -1; -- } -- if (sps_id < 0) { -+ if ((sps_id < 0) || (sps_id >= 32)) { - return -1; - } - -@@ -5342,7 +5339,7 @@ static s32 gf_media_avc_read_pps_bs_inte - /*nal_hdr = */gf_bs_read_u8(bs); - } - pps_id = gf_bs_get_ue(bs); -- if (pps_id >= 255) { -+ if ((pps_id<0) || (pps_id >= 255)) { - return -1; - } - pps = &avc->pps[pps_id]; -@@ -5350,7 +5347,7 @@ static s32 gf_media_avc_read_pps_bs_inte - - if (!pps->status) pps->status = 1; - pps->sps_id = gf_bs_get_ue(bs); -- if (pps->sps_id >= 32) { -+ if ((pps->sps_id<0) || (pps->sps_id >= 32)) { - pps->sps_id = 0; - return -1; - } -@@ -6595,7 +6592,7 @@ s32 hevc_parse_slice_segment(GF_BitStrea - } - - pps_id = gf_bs_get_ue(bs); -- if (pps_id >= 64) -+ if ((pps_id<0) || (pps_id >= 64)) - return -1; - - pps = &hevc->pps[pps_id]; -@@ -7409,7 +7406,7 @@ static s32 gf_media_hevc_read_vps_bs_int - //nalu header already parsed - vps_id = gf_bs_read_int(bs, 4); - -- if (vps_id >= 16) return -1; -+ if ((vps_id<0) || (vps_id >= 16)) return -1; - - vps = &hevc->vps[vps_id]; - vps->bit_pos_vps_extensions = -1; -@@ -7637,7 +7634,7 @@ static s32 gf_media_hevc_read_sps_bs_int - - //nalu header already parsed - vps_id = gf_bs_read_int(bs, 4); -- if (vps_id >= 16) { -+ if ((vps_id<0) || (vps_id >= 16)) { - return -1; - } - memset(&ptl, 0, sizeof(ptl)); diff --git a/debian/patches/CVE-2021-30015.patch b/debian/patches/CVE-2021-30015.patch deleted file mode 100644 index 632b8b0..0000000 --- a/debian/patches/CVE-2021-30015.patch +++ /dev/null @@ -1,21 +0,0 @@ -From 13dad7d5ef74ca2e6fe4010f5b03eb12e9bbe0ec Mon Sep 17 00:00:00 2001 -From: jeanlf -Date: Mon, 29 Mar 2021 09:21:51 +0200 -Subject: [PATCH] fixed #1719 - ---- - src/filters/reframe_av1.c | 3 +++ - 1 file changed, 3 insertions(+) - ---- gpac-1.0.1+dfsg1.orig/src/filters/reframe_av1.c -+++ gpac-1.0.1+dfsg1/src/filters/reframe_av1.c -@@ -718,6 +718,9 @@ static GF_Err av1dmx_parse_flush_sample( - GF_FilterPacket *pck; - u8 *output; - -+ if (!ctx->opid) -+ return GF_NON_COMPLIANT_BITSTREAM; -+ - gf_bs_get_content_no_truncate(ctx->state.bs, &ctx->state.frame_obus, &pck_size, &ctx->state.frame_obus_alloc); - - if (!pck_size) { diff --git a/debian/patches/CVE-2021-30019.patch b/debian/patches/CVE-2021-30019.patch deleted file mode 100644 index d598629..0000000 --- a/debian/patches/CVE-2021-30019.patch +++ /dev/null @@ -1,24 +0,0 @@ -From 13dad7d5ef74ca2e6fe4010f5b03eb12e9bbe0ec Mon Sep 17 00:00:00 2001 -From: jeanlf -Date: Mon, 29 Mar 2021 09:21:51 +0200 -Subject: [PATCH] fixed #1719 - ---- - src/filters/reframe_av1.c | 3 +++ - 1 file changed, 3 insertions(+) - ---- gpac-1.0.1+dfsg1.orig/src/filters/reframe_adts.c -+++ gpac-1.0.1+dfsg1/src/filters/reframe_adts.c -@@ -683,6 +683,12 @@ GF_Err adts_dmx_process(GF_Filter *filte - break; - } - -+ if (ctx->hdr.frame_size < ctx->hdr.hdr_size) { -+ GF_LOG(GF_LOG_WARNING, GF_LOG_PARSER, ("[ADTSDmx] Corrupted ADTS frame header, resyncing\n")); -+ ctx->nb_frames = 0; -+ goto drop_byte; -+ } -+ - adts_dmx_check_pid(filter, ctx); - - if (!ctx->is_playing) { diff --git a/debian/patches/CVE-2021-30199.patch b/debian/patches/CVE-2021-30199.patch deleted file mode 100644 index 2b627a0..0000000 --- a/debian/patches/CVE-2021-30199.patch +++ /dev/null @@ -1,35 +0,0 @@ -From b2db2f99b4c30f96e17b9a14537c776da6cb5dca Mon Sep 17 00:00:00 2001 -From: jeanlf -Date: Thu, 8 Apr 2021 09:29:42 +0200 -Subject: [PATCH] fixed #1728 - ---- - src/filters/reframe_latm.c | 8 ++++---- - 1 file changed, 4 insertions(+), 4 deletions(-) - ---- gpac-1.0.1+dfsg1.orig/src/filters/reframe_latm.c -+++ gpac-1.0.1+dfsg1/src/filters/reframe_latm.c -@@ -424,8 +424,8 @@ GF_Err latm_dmx_process(GF_Filter *filte - GF_LATMDmxCtx *ctx = gf_filter_get_udta(filter); - GF_FilterPacket *pck, *dst_pck; - u32 pos; -- u8 *data, *output; -- u32 pck_size, prev_pck_size; -+ u8 *data=NULL, *output; -+ u32 pck_size=0, prev_pck_size; - u64 cts = GF_FILTER_NO_TS; - - //always reparse duration -@@ -448,10 +448,10 @@ GF_Err latm_dmx_process(GF_Filter *filte - } else { - return GF_OK; - } -+ } else { -+ data = (char *) gf_filter_pck_get_data(pck, &pck_size); - } - -- data = (char *) gf_filter_pck_get_data(pck, &pck_size); -- - //input pid sets some timescale - we flushed pending data , update cts - if (ctx->timescale && pck) { - cts = gf_filter_pck_get_cts(pck); diff --git a/debian/patches/CVE-2021-31255.patch b/debian/patches/CVE-2021-31255.patch deleted file mode 100644 index 2a44594..0000000 --- a/debian/patches/CVE-2021-31255.patch +++ /dev/null @@ -1,123 +0,0 @@ -From 758135e91e623d7dfe7f6aaad7aeb3f791b7a4e5 Mon Sep 17 00:00:00 2001 -From: jeanlf -Date: Thu, 8 Apr 2021 10:07:35 +0200 -Subject: [PATCH] fixed #1733 - ---- - src/isomedia/box_code_adobe.c | 35 ++++++++++++++++++++++++++++++----- - 1 file changed, 30 insertions(+), 5 deletions(-) - -diff --git a/src/isomedia/box_code_adobe.c b/src/isomedia/box_code_adobe.c -index ab5115f25a..711d84bf0d 100644 ---- a/src/isomedia/box_code_adobe.c -+++ b/src/isomedia/box_code_adobe.c -@@ -79,6 +79,7 @@ GF_Err abst_box_read(GF_Box *s, GF_BitStream *bs) - int i; - u32 tmp_strsize; - char *tmp_str; -+ Bool zfound=GF_FALSE; - GF_Err e; - - ISOM_DECREASE_SIZE(ptr, 25) -@@ -102,10 +103,14 @@ GF_Err abst_box_read(GF_Box *s, GF_BitStream *bs) - ISOM_DECREASE_SIZE(ptr, 1) - tmp_str[i] = gf_bs_read_u8(bs); - tmp_strsize--; -- if (!tmp_str[i]) -+ if (!tmp_str[i]) { -+ zfound = GF_TRUE; - break; -+ } - i++; - } -+ if (!zfound) -+ return GF_ISOM_INVALID_FILE; - if (i) { - ptr->movie_identifier = gf_strdup(tmp_str); - } -@@ -114,15 +119,20 @@ GF_Err abst_box_read(GF_Box *s, GF_BitStream *bs) - ptr->server_entry_count = gf_bs_read_u8(bs); - for (i=0; iserver_entry_count; i++) { - int j=0; -+ zfound = GF_FALSE; - tmp_strsize=(u32)ptr->size; - while (tmp_strsize) { - ISOM_DECREASE_SIZE(ptr, 1) - tmp_str[j] = gf_bs_read_u8(bs); - tmp_strsize--; -- if (!tmp_str[j]) -+ if (!tmp_str[j]) { -+ zfound = GF_TRUE; - break; -+ } - j++; - } -+ if (!zfound) -+ return GF_ISOM_INVALID_FILE; - if (j) { - gf_list_insert(ptr->server_entry_table, gf_strdup(tmp_str), i); - } -@@ -132,16 +142,21 @@ GF_Err abst_box_read(GF_Box *s, GF_BitStream *bs) - ptr->quality_entry_count = gf_bs_read_u8(bs); - for (i=0; iquality_entry_count; i++) { - int j=0; -+ zfound = GF_FALSE; - tmp_strsize=(u32)ptr->size; - while (tmp_strsize) { - ISOM_DECREASE_SIZE(ptr, 1) - tmp_str[j] = gf_bs_read_u8(bs); - tmp_strsize--; -- if (!tmp_str[j]) -+ if (!tmp_str[j]) { -+ zfound = GF_TRUE; - break; -+ } - j++; - } - -+ if (!zfound) -+ return GF_ISOM_INVALID_FILE; - if (j) { - gf_list_insert(ptr->quality_entry_table, gf_strdup(tmp_str), i); - } -@@ -149,28 +164,38 @@ GF_Err abst_box_read(GF_Box *s, GF_BitStream *bs) - - i=0; - tmp_strsize=(u32)ptr->size; -+ zfound = GF_FALSE; - while (tmp_strsize) { - ISOM_DECREASE_SIZE(ptr, 1) - tmp_str[i] = gf_bs_read_u8(bs); - tmp_strsize--; -- if (!tmp_str[i]) -+ if (!tmp_str[i]) { -+ zfound = GF_TRUE; - break; -+ } - i++; - } -+ if (!zfound) -+ return GF_ISOM_INVALID_FILE; - if (i) { - ptr->drm_data = gf_strdup(tmp_str); - } - - i=0; - tmp_strsize=(u32)ptr->size; -+ zfound = GF_FALSE; - while (tmp_strsize) { - ISOM_DECREASE_SIZE(ptr, 1) - tmp_str[i] = gf_bs_read_u8(bs); - tmp_strsize--; -- if (!tmp_str[i]) -+ if (!tmp_str[i]) { -+ zfound = GF_TRUE; - break; -+ } - i++; - } -+ if (!zfound) -+ return GF_ISOM_INVALID_FILE; - if (i) { - ptr->meta_data = gf_strdup(tmp_str); - } diff --git a/debian/patches/CVE-2021-31256.patch b/debian/patches/CVE-2021-31256.patch deleted file mode 100644 index d5b2896..0000000 --- a/debian/patches/CVE-2021-31256.patch +++ /dev/null @@ -1,27 +0,0 @@ -From 2da2f68bffd51d89b1d272d22aa8cc023c1c066e Mon Sep 17 00:00:00 2001 -From: jeanlf -Date: Fri, 12 Mar 2021 11:46:56 +0100 -Subject: [PATCH] fixed #1705 - ---- - src/isomedia/stbl_read.c | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/src/isomedia/stbl_read.c b/src/isomedia/stbl_read.c -index ebfbe62abe..384d4f7827 100644 ---- a/src/isomedia/stbl_read.c -+++ b/src/isomedia/stbl_read.c -@@ -419,11 +419,13 @@ GF_Err stbl_GetSampleInfos(GF_SampleTableBox *stbl, u32 sampleNumber, u64 *offse - if ( stbl->ChunkOffset->type == GF_ISOM_BOX_TYPE_STCO) { - stco = (GF_ChunkOffsetBox *)stbl->ChunkOffset; - if (!stco->offsets) return GF_ISOM_INVALID_FILE; -+ if (stco->nb_entries < sampleNumber) return GF_ISOM_INVALID_FILE; - - (*offset) = (u64) stco->offsets[sampleNumber - 1]; - } else { - co64 = (GF_ChunkLargeOffsetBox *)stbl->ChunkOffset; - if (!co64->offsets) return GF_ISOM_INVALID_FILE; -+ if (co64->nb_entries < sampleNumber) return GF_ISOM_INVALID_FILE; - - (*offset) = co64->offsets[sampleNumber - 1]; - } diff --git a/debian/patches/CVE-2021-31257.patch b/debian/patches/CVE-2021-31257.patch deleted file mode 100644 index fbfe1da..0000000 --- a/debian/patches/CVE-2021-31257.patch +++ /dev/null @@ -1,20 +0,0 @@ -From 87afe070cd6866df7fe80f11b26ef75161de85e0 Mon Sep 17 00:00:00 2001 -From: jeanlf -Date: Thu, 8 Apr 2021 10:09:46 +0200 -Subject: [PATCH] fixed #1734 - ---- - applications/mp4box/main.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - ---- gpac-1.0.1+dfsg1.orig/applications/mp4box/main.c -+++ gpac-1.0.1+dfsg1/applications/mp4box/main.c -@@ -1296,7 +1296,7 @@ GF_Err HintFile(GF_ISOFile *file, u32 MT - - streamType = 0; - esd = gf_isom_get_esd(file, i+1, 1); -- if (esd) { -+ if (esd && esd->decoderConfig) { - streamType = esd->decoderConfig->streamType; - if (!prev_ocr) { - prev_ocr = esd->OCRESID; diff --git a/debian/patches/CVE-2021-31258.patch b/debian/patches/CVE-2021-31258.patch deleted file mode 100644 index 6405695..0000000 --- a/debian/patches/CVE-2021-31258.patch +++ /dev/null @@ -1,71 +0,0 @@ -From ebfa346eff05049718f7b80041093b4c5581c24e Mon Sep 17 00:00:00 2001 -From: jeanlf -Date: Fri, 12 Mar 2021 11:56:53 +0100 -Subject: [PATCH] fixed #1706 - ---- - src/isomedia/isom_read.c | 1 + - src/isomedia/isom_write.c | 13 ++++++++++--- - src/media_tools/isom_hinter.c | 6 +++++- - 3 files changed, 16 insertions(+), 4 deletions(-) - ---- gpac-1.0.1+dfsg1.orig/src/isomedia/isom_read.c -+++ gpac-1.0.1+dfsg1/src/isomedia/isom_read.c -@@ -3802,6 +3802,7 @@ u32 gf_isom_guess_specification(GF_ISOFi - case GF_ISOM_SUBTYPE_MPEG4_CRYP: - { - GF_DecoderConfig *dcd = gf_isom_get_decoder_config(file, i+1, 1); -+ if (!dcd) break; - switch (dcd->streamType) { - case GF_STREAM_VISUAL: - if (dcd->objectTypeIndication==GF_CODECID_MPEG4_PART2) nb_m4v++; ---- gpac-1.0.1+dfsg1.orig/src/isomedia/isom_write.c -+++ gpac-1.0.1+dfsg1/src/isomedia/isom_write.c -@@ -5224,6 +5224,7 @@ GF_Err gf_isom_set_extraction_slc(GF_ISO - GF_SampleEntryBox *entry; - GF_Err e; - GF_SLConfig **slc; -+ GF_ESDBox *esds; - - trak = gf_isom_get_track_from_file(the_file, trackNumber); - if (!trak) return GF_BAD_PARAM; -@@ -5234,15 +5235,21 @@ GF_Err gf_isom_set_extraction_slc(GF_ISO - //we must be sure we are not using a remote ESD - switch (entry->type) { - case GF_ISOM_BOX_TYPE_MP4S: -- if (((GF_MPEGSampleEntryBox *)entry)->esd->desc->slConfig->predefined != SLPredef_MP4) return GF_BAD_PARAM; -+ esds = ((GF_MPEGSampleEntryBox *)entry)->esd; -+ if (!esds || !esds->desc || !esds->desc->slConfig || (esds->desc->slConfig->predefined != SLPredef_MP4)) -+ return GF_ISOM_INVALID_FILE; - slc = & ((GF_MPEGSampleEntryBox *)entry)->slc; - break; - case GF_ISOM_BOX_TYPE_MP4A: -- if (((GF_MPEGAudioSampleEntryBox *)entry)->esd->desc->slConfig->predefined != SLPredef_MP4) return GF_BAD_PARAM; -+ esds = ((GF_MPEGAudioSampleEntryBox *)entry)->esd; -+ if (!esds || !esds->desc || !esds->desc->slConfig || (esds->desc->slConfig->predefined != SLPredef_MP4)) -+ return GF_ISOM_INVALID_FILE; - slc = & ((GF_MPEGAudioSampleEntryBox *)entry)->slc; - break; - case GF_ISOM_BOX_TYPE_MP4V: -- if (((GF_MPEGVisualSampleEntryBox *)entry)->esd->desc->slConfig->predefined != SLPredef_MP4) return GF_BAD_PARAM; -+ esds = ((GF_MPEGVisualSampleEntryBox *)entry)->esd; -+ if (!esds || !esds->desc || !esds->desc->slConfig || (esds->desc->slConfig->predefined != SLPredef_MP4)) -+ return GF_ISOM_INVALID_FILE; - slc = & ((GF_MPEGVisualSampleEntryBox *)entry)->slc; - break; - default: ---- gpac-1.0.1+dfsg1.orig/src/media_tools/isom_hinter.c -+++ gpac-1.0.1+dfsg1/src/media_tools/isom_hinter.c -@@ -641,7 +641,11 @@ GF_RTPHinter *gf_hinter_track_new(GF_ISO - if (hintType==GF_RTP_PAYT_MPEG4) { - tmp->rtp_p->slMap.CodecID = codecid; - /*set this SL for extraction.*/ -- gf_isom_set_extraction_slc(file, TrackNum, 1, &my_sl); -+ *e = gf_isom_set_extraction_slc(file, TrackNum, 1, &my_sl); -+ if (*e) { -+ gf_hinter_track_del(tmp); -+ return NULL; -+ } - } - tmp->bandwidth = bandwidth; - diff --git a/debian/patches/CVE-2021-31260.patch b/debian/patches/CVE-2021-31260.patch deleted file mode 100644 index 01f70ad..0000000 --- a/debian/patches/CVE-2021-31260.patch +++ /dev/null @@ -1,36 +0,0 @@ -From df8fffd839fe5ae9acd82d26fd48280a397411d9 Mon Sep 17 00:00:00 2001 -From: jeanlf -Date: Thu, 8 Apr 2021 10:21:26 +0200 -Subject: [PATCH] fixed #1736 - ---- - src/isomedia/track.c | 10 +++++++--- - 1 file changed, 7 insertions(+), 3 deletions(-) - ---- gpac-1.0.1+dfsg1.orig/src/isomedia/track.c -+++ gpac-1.0.1+dfsg1/src/isomedia/track.c -@@ -1003,10 +1003,13 @@ GF_Err MergeTrack(GF_TrackBox *trak, GF_ - if ((aux_info_type == GF_ISOM_CENC_SCHEME) || (aux_info_type == GF_ISOM_CBC_SCHEME) || - (aux_info_type == GF_ISOM_CENS_SCHEME) || (aux_info_type == GF_ISOM_CBCS_SCHEME) || - (gf_list_count(traf->sai_offsets) == 1)) { -- offset = saio->offsets[0] + moof_offset; -- nb_saio = saio->entry_count; -- break; -+ if (saio->offsets && saio->entry_count) { -+ offset = saio->offsets[0] + moof_offset; -+ nb_saio = saio->entry_count; -+ break; -+ } - } -+ saio = NULL; - } - for (i = 0; i < gf_list_count(traf->sai_sizes); i++) { - saiz = (GF_SampleAuxiliaryInfoSizeBox *)gf_list_get(traf->sai_sizes, i); -@@ -1018,6 +1021,7 @@ GF_Err MergeTrack(GF_TrackBox *trak, GF_ - (gf_list_count(traf->sai_sizes) == 1)) { - break; - } -+ saiz = NULL; - } - if (saiz && saio && senc) { - for (i = 0; i < saiz->sample_count; i++) { diff --git a/debian/patches/CVE-2021-31261.patch b/debian/patches/CVE-2021-31261.patch deleted file mode 100644 index 2865313..0000000 --- a/debian/patches/CVE-2021-31261.patch +++ /dev/null @@ -1,24 +0,0 @@ -From cd3738dea038dbd12e603ad48cd7373ae0440f65 Mon Sep 17 00:00:00 2001 -From: jeanlf -Date: Fri, 9 Apr 2021 11:12:47 +0200 -Subject: [PATCH] fixed #1737 - ---- - src/media_tools/isom_hinter.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/src/media_tools/isom_hinter.c b/src/media_tools/isom_hinter.c -index 6aeb9d172..6c4da454a 100644 ---- a/src/media_tools/isom_hinter.c -+++ b/src/media_tools/isom_hinter.c -@@ -402,8 +402,9 @@ GF_RTPHinter *gf_hinter_track_new(GF_ISOFile *file, u32 TrackNum, - else if (gf_isom_has_sync_shadows(file, TrackNum) || gf_isom_has_sample_dependency(file, TrackNum)) { - flags |= GP_RTP_PCK_SYSTEMS_CAROUSEL; - } -- gf_odf_desc_del((GF_Descriptor*)esd); - } -+ if (esd) -+ gf_odf_desc_del((GF_Descriptor*)esd); - break; - case GF_ISOM_SUBTYPE_3GP_H263: - hintType = GF_RTP_PAYT_H263; diff --git a/debian/patches/CVE-2021-31262.patch b/debian/patches/CVE-2021-31262.patch deleted file mode 100644 index 20c9d96..0000000 --- a/debian/patches/CVE-2021-31262.patch +++ /dev/null @@ -1,39 +0,0 @@ -From b2eab95e07cb5819375a50358d4806a8813b6e50 Mon Sep 17 00:00:00 2001 -From: jeanlf -Date: Fri, 9 Apr 2021 11:17:40 +0200 -Subject: [PATCH] fixed #1738 - ---- - src/isomedia/avc_ext.c | 7 ++++--- - 1 file changed, 4 insertions(+), 3 deletions(-) - ---- gpac-1.0.1+dfsg1.orig/src/isomedia/avc_ext.c -+++ gpac-1.0.1+dfsg1/src/isomedia/avc_ext.c -@@ -1330,7 +1330,8 @@ static GF_Err gf_isom_check_mvc(GF_ISOFi - return GF_OK; - } - --static GF_AV1Config* AV1_DuplicateConfig(GF_AV1Config const * const cfg) { -+static GF_AV1Config* AV1_DuplicateConfig(GF_AV1Config const * const cfg) -+{ - u32 i = 0; - GF_AV1Config *out = gf_malloc(sizeof(GF_AV1Config)); - -@@ -1374,7 +1375,7 @@ void AV1_RewriteESDescriptorEx(GF_MPEGVi - av1->emul_esd->decoderConfig->avgBitrate = btrt->avgBitrate; - av1->emul_esd->decoderConfig->maxBitrate = btrt->maxBitrate; - } -- if (av1->av1_config) { -+ if (av1->av1_config && av1->av1_config->config) { - GF_AV1Config *av1_cfg = AV1_DuplicateConfig(av1->av1_config->config); - if (av1_cfg) { - gf_odf_av1_cfg_write(av1_cfg, &av1->emul_esd->decoderConfig->decoderSpecificInfo->data, &av1->emul_esd->decoderConfig->decoderSpecificInfo->dataLength); -@@ -2275,7 +2276,7 @@ GF_AV1Config *gf_isom_av1_config_get(GF_ - trak = gf_isom_get_track_from_file(the_file, trackNumber); - if (!trak || !trak->Media || !DescriptionIndex) return NULL; - entry = (GF_MPEGVisualSampleEntryBox*)gf_list_get(trak->Media->information->sampleTable->SampleDescription->child_boxes, DescriptionIndex - 1); -- if (!entry || !entry->av1_config) return NULL; -+ if (!entry || !entry->av1_config|| !entry->av1_config->config) return NULL; - return AV1_DuplicateConfig(entry->av1_config->config); - } - diff --git a/debian/patches/series b/debian/patches/series index 39cc63a..db87f3b 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1,21 +1,2 @@ gcc-optflags.patch dont-err-build-on-uknown-system.patch -CVE-2021-30014_CVE-2021-30020_CVE-2021-30022.patch -CVE-2020-35979.patch -CVE-2020-35981.patch -CVE-2020-35982.patch -CVE-2021-28300.patch -CVE-2021-29279.patch -CVE-2021-31255.patch -CVE-2021-31256.patch -CVE-2021-31261.patch -CVE-2021-30015.patch -CVE-2021-30019.patch -CVE-2021-30199.patch -CVE-2021-31257.patch -CVE-2021-31258.patch -CVE-2021-31260.patch -CVE-2021-31262.patch -talos-2021-1297.patch -talos-2021-1298.patch -talos-2021-1299.patch diff --git a/debian/patches/talos-2021-1297.patch b/debian/patches/talos-2021-1297.patch deleted file mode 100644 index e275d40..0000000 --- a/debian/patches/talos-2021-1297.patch +++ /dev/null @@ -1,152 +0,0 @@ -Backport of https://github.com/gpac/gpac/commit/b515fd04f5f00f4a99df741042f1efb31ad56351 -https://talosintelligence.com/vulnerability_reports/TALOS-2021-1297 - ---- gpac-1.0.1+dfsg1.orig/src/isomedia/box_code_base.c -+++ gpac-1.0.1+dfsg1/src/isomedia/box_code_base.c -@@ -46,7 +46,7 @@ GF_Err co64_box_read(GF_Box *s,GF_BitStr - - ISOM_DECREASE_SIZE(ptr, 4) - -- if (ptr->nb_entries > ptr->size / 8) { -+ if ((u64)ptr->nb_entries > ptr->size / 8 || (u64)ptr->nb_entries > (u64)SIZE_MAX/sizeof(u64)) { - GF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, ("[iso file] Invalid number of entries %d in co64\n", ptr->nb_entries)); - return GF_ISOM_INVALID_FILE; - } -@@ -392,7 +392,7 @@ GF_Err ctts_box_read(GF_Box *s, GF_BitSt - ISOM_DECREASE_SIZE(ptr, 4); - ptr->nb_entries = gf_bs_read_u32(bs); - -- if (ptr->nb_entries > ptr->size / 8) { -+ if (ptr->nb_entries > ptr->size / 8 || (u64)ptr->nb_entries > (u64)SIZE_MAX/sizeof(GF_DttsEntry) ) { - GF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, ("[iso file] Invalid number of entries %d in ctts\n", ptr->nb_entries)); - return GF_ISOM_INVALID_FILE; - } -@@ -3194,6 +3194,10 @@ GF_Err tfra_box_read(GF_Box *s, GF_BitSt - } - - if (ptr->nb_entries) { -+ if ((u64)ptr->nb_entries > (u64)SIZE_MAX/sizeof(GF_RandomAccessEntry)) { -+ GF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, ("[iso file] Invalid number of entries %d in traf\n", ptr->nb_entries)); -+ return GF_ISOM_INVALID_FILE; -+ } - p = (GF_RandomAccessEntry *) gf_malloc(sizeof(GF_RandomAccessEntry) * ptr->nb_entries); - if (!p) return GF_OUT_OF_MEM; - } -@@ -5104,7 +5108,7 @@ GF_Err stco_box_read(GF_Box *s, GF_BitSt - - ISOM_DECREASE_SIZE(ptr, 4); - ptr->nb_entries = gf_bs_read_u32(bs); -- if (ptr->nb_entries > ptr->size / 4) { -+ if (ptr->nb_entries > ptr->size / 4 || (u64)ptr->nb_entries > (u64)SIZE_MAX/sizeof(u32)) { - GF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, ("[iso file] Invalid number of entries %d in stco\n", ptr->nb_entries)); - return GF_ISOM_INVALID_FILE; - } -@@ -5236,7 +5240,7 @@ GF_Err stsc_box_read(GF_Box *s, GF_BitSt - ISOM_DECREASE_SIZE(ptr, 4); - ptr->nb_entries = gf_bs_read_u32(bs); - -- if (ptr->nb_entries > ptr->size / 12) { -+ if (ptr->nb_entries > ptr->size / 12 || (u64)ptr->nb_entries > (u64)SIZE_MAX/sizeof(GF_StscEntry)) { - GF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, ("[iso file] Invalid number of entries %d in stsc\n", ptr->nb_entries)); - return GF_ISOM_INVALID_FILE; - } -@@ -5575,6 +5579,10 @@ GF_Err stsz_box_read(GF_Box *s, GF_BitSt - } - } - } -+ if (ptr->sampleCount && (u64)ptr->sampleCount > (u64)SIZE_MAX/sizeof(u32)) { -+ GF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, ("[iso file] Invalid number of entries %d in stsz\n", ptr->sampleCount)); -+ return GF_ISOM_INVALID_FILE; -+ } - if (s->type == GF_ISOM_BOX_TYPE_STSZ) { - if (! ptr->sampleSize && ptr->sampleCount) { - if (ptr->sampleCount > ptr->size / 4) { -@@ -5779,7 +5787,7 @@ GF_Err stts_box_read(GF_Box *s, GF_BitSt - - ISOM_DECREASE_SIZE(ptr, 4); - ptr->nb_entries = gf_bs_read_u32(bs); -- if (ptr->size < ptr->nb_entries * 8) { -+ if (ptr->size / 8 < ptr->nb_entries || (u64)ptr->nb_entries > (u64)SIZE_MAX/sizeof(GF_SttsEntry)) { - GF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, ("[iso file] Invalid number of entries %d in stts\n", ptr->nb_entries)); - return GF_ISOM_INVALID_FILE; - } -@@ -7276,6 +7284,10 @@ GF_Err trun_box_read(GF_Box *s, GF_BitSt - if (ptr->sample_count * 4 > ptr->size) { - ISOM_DECREASE_SIZE(ptr, ptr->sample_count*4); - } -+ if ((u64)ptr->sample_count > (u64)SIZE_MAX/sizeof(GF_TrunEntry)) { -+ GF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, ("[iso file] Invalid number of samples %d in trun\n", ptr->sample_count)); -+ return GF_ISOM_INVALID_FILE; -+ } - ptr->samples = gf_malloc(sizeof(GF_TrunEntry) * ptr->sample_count); - if (!ptr->samples) return GF_OUT_OF_MEM; - ptr->sample_alloc = ptr->nb_samples = ptr->sample_count; -@@ -8786,7 +8798,7 @@ GF_Err ssix_box_read(GF_Box *s, GF_BitSt - ISOM_DECREASE_SIZE(ptr, 4) - ptr->subsegment_count = gf_bs_read_u32(bs); - //each subseg has at least one range_count (4 bytes), abort if not enough bytes (broken box) -- if (ptr->size < ptr->subsegment_count*4) -+ if (ptr->size / 4 < ptr->subsegment_count || (u64)ptr->subsegment_count > (u64)SIZE_MAX/sizeof(GF_SubsegmentInfo)) - return GF_ISOM_INVALID_FILE; - - GF_SAFE_ALLOC_N(ptr->subsegments, ptr->subsegment_count, GF_SubsegmentInfo); -@@ -8797,7 +8809,7 @@ GF_Err ssix_box_read(GF_Box *s, GF_BitSt - ISOM_DECREASE_SIZE(ptr, 4) - subseg->range_count = gf_bs_read_u32(bs); - //each range is 4 bytes, abort if not enough bytes -- if (ptr->size < subseg->range_count*4) -+ if (ptr->size / 4 < subseg->range_count || (u64)subseg->range_count > (u64)SIZE_MAX/sizeof(GF_SubsegmentRangeInfo)) - return GF_ISOM_INVALID_FILE; - subseg->ranges = (GF_SubsegmentRangeInfo*) gf_malloc(sizeof(GF_SubsegmentRangeInfo) * subseg->range_count); - if (!subseg->ranges) return GF_OUT_OF_MEM; -@@ -8979,6 +8991,11 @@ GF_Err pcrb_box_read(GF_Box *s,GF_BitStr - ISOM_DECREASE_SIZE(ptr, 4); - ptr->subsegment_count = gf_bs_read_u32(bs); - -+ if ((u64)ptr->subsegment_count > ptr->size / 8 || (u64)ptr->subsegment_count > (u64)SIZE_MAX/sizeof(u64)) { -+ GF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, ("[iso file] Invalid number of subsegment %d in pcrb\n", ptr->subsegment_count)); -+ return GF_ISOM_INVALID_FILE; -+ } -+ - ptr->pcr_values = gf_malloc(sizeof(u64)*ptr->subsegment_count); - if (!ptr->pcr_values) return GF_OUT_OF_MEM; - for (i=0; isubsegment_count; i++) { -@@ -9303,7 +9320,7 @@ GF_Err sbgp_box_read(GF_Box *s, GF_BitSt - } - ptr->entry_count = gf_bs_read_u32(bs); - -- if (ptr->size < sizeof(GF_SampleGroupEntry)*ptr->entry_count) -+ if (ptr->size < sizeof(GF_SampleGroupEntry)*ptr->entry_count || (u64)ptr->entry_count > (u64)SIZE_MAX/sizeof(GF_SampleGroupEntry)) - return GF_ISOM_INVALID_FILE; - - ptr->sample_entries = gf_malloc(sizeof(GF_SampleGroupEntry)*ptr->entry_count); -@@ -9860,7 +9877,7 @@ GF_Err saio_box_read(GF_Box *s, GF_BitSt - - if (ptr->entry_count) { - u32 i; -- if (ptr->size < (ptr->version == 0 ? 4 : 8) * ptr->entry_count) -+ if (ptr->size / (ptr->version == 0 ? 4 : 8) < ptr->entry_count || (u64)ptr->entry_count > (u64)SIZE_MAX/sizeof(u64)) - return GF_ISOM_INVALID_FILE; - ptr->offsets = gf_malloc(sizeof(u64)*ptr->entry_count); - if (!ptr->offsets) -@@ -10368,7 +10385,7 @@ GF_Err fpar_box_read(GF_Box *s, GF_BitSt - - ISOM_DECREASE_SIZE(ptr, (ptr->version ? 4 : 2) ); - ptr->nb_entries = gf_bs_read_int(bs, ptr->version ? 32 : 16); -- if (ptr->nb_entries > UINT_MAX / 6) -+ if (ptr->nb_entries > ptr->size / 6 || (u64)ptr->nb_entries > (u64)SIZE_MAX/sizeof(FilePartitionEntry)) - return GF_ISOM_INVALID_FILE; - - ISOM_DECREASE_SIZE(ptr, ptr->nb_entries * 6 ); -@@ -10454,6 +10471,11 @@ GF_Err fecr_box_read(GF_Box *s, GF_BitSt - ISOM_DECREASE_SIZE(ptr, (ptr->version ? 4 : 2) ); - ptr->nb_entries = gf_bs_read_int(bs, ptr->version ? 32 : 16); - -+ if (ptr->nb_entries > ptr->size / (ptr->version ? 8 : 6) || (u64)ptr->nb_entries > (u64)SIZE_MAX/sizeof(FECReservoirEntry) ) { -+ GF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, ("[iso file] Invalid number of entries %d in fecr\n", ptr->nb_entries)); -+ return GF_ISOM_INVALID_FILE; -+ } -+ - ISOM_DECREASE_SIZE(ptr, ptr->nb_entries * (ptr->version ? 8 : 6) ); - GF_SAFE_ALLOC_N(ptr->entries, ptr->nb_entries, FECReservoirEntry); - if (!ptr->entries) return GF_OUT_OF_MEM; diff --git a/debian/patches/talos-2021-1298.patch b/debian/patches/talos-2021-1298.patch deleted file mode 100644 index 573b6c5..0000000 --- a/debian/patches/talos-2021-1298.patch +++ /dev/null @@ -1,57 +0,0 @@ -Backport of https://github.com/gpac/gpac/commit/8cd33e8977fd5f4215e4b67c309fd403762bfeb7 - -https://talosintelligence.com/vulnerability_reports/TALOS-2021-1298 - ---- gpac-1.0.1+dfsg1.orig/src/isomedia/box_code_base.c -+++ gpac-1.0.1+dfsg1/src/isomedia/box_code_base.c -@@ -1653,17 +1653,23 @@ GF_Err hdlr_box_read(GF_Box *s, GF_BitSt - gf_bs_set_cookie(bs, cookie); - - if (ptr->size) { -- ptr->nameUTF8 = (char*)gf_malloc((u32) ptr->size); -+ u32 name_size = (u32) ptr->size; -+ if (name_size < 1) { -+ GF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, ("[iso file] Invalid size %llu in hdlr\n", ptr->size)); -+ return GF_ISOM_INVALID_FILE; -+ } -+ ptr->nameUTF8 = (char*)gf_malloc(name_size); - if (!ptr->nameUTF8) return GF_OUT_OF_MEM; -- gf_bs_read_data(bs, ptr->nameUTF8, (u32) ptr->size); -+ gf_bs_read_data(bs, ptr->nameUTF8, name_size); - - //patch for old QT files - we cannot rely on checking if str[0]==len(str+1) since we may have - //cases where the first character of the string decimal value is indeed the same as the string length!! - //we had this issue with encryption_import test - //we therefore only check if last char is null, and if not so assume old QT style -- if (ptr->nameUTF8[ptr->size-1]) { -- memmove(ptr->nameUTF8, ptr->nameUTF8+1, sizeof(char) * (u32) (ptr->size-1) ); -- ptr->nameUTF8[ptr->size-1] = 0; -+ if (ptr->nameUTF8[name_size-1]) { -+ if (name_size > 1) -+ memmove(ptr->nameUTF8, ptr->nameUTF8+1, sizeof(char) * (u32) (name_size-1) ); -+ ptr->nameUTF8[name_size-1] = 0; - ptr->store_counted_string = GF_TRUE; - } - } -@@ -6687,6 +6693,10 @@ GF_Err stri_box_read(GF_Box *s, GF_BitSt - ptr->alternate_group = gf_bs_read_u16(bs); - ptr->sub_track_id = gf_bs_read_u32(bs); - ptr->attribute_count = ptr->size / 4; -+ if ((u64)ptr->attribute_count > (u64)SIZE_MAX/sizeof(u32)) { -+ GF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, ("[iso file] Invalid size %llu in stri\n", ptr->size)); -+ return GF_ISOM_INVALID_FILE; -+ } - GF_SAFE_ALLOC_N(ptr->attribute_list, (size_t)ptr->attribute_count, u32); - if (!ptr->attribute_list) return GF_OUT_OF_MEM; - for (i = 0; i < ptr->attribute_count; i++) { -@@ -10972,6 +10982,10 @@ GF_Err trik_box_read(GF_Box *s,GF_BitStr - u32 i; - GF_TrickPlayBox *ptr = (GF_TrickPlayBox *) s; - ptr->entry_count = (u32) ptr->size; -+ if ((u64)ptr->entry_count > (u64)SIZE_MAX/sizeof(GF_TrickPlayBoxEntry)) { -+ GF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, ("[iso file] Invalid size %llu in trik\n", ptr->size)); -+ return GF_ISOM_INVALID_FILE; -+ } - ptr->entries = (GF_TrickPlayBoxEntry *) gf_malloc(ptr->entry_count * sizeof(GF_TrickPlayBoxEntry) ); - if (!ptr->entries) return GF_OUT_OF_MEM; - diff --git a/debian/patches/talos-2021-1299.patch b/debian/patches/talos-2021-1299.patch deleted file mode 100644 index 51f5378..0000000 --- a/debian/patches/talos-2021-1299.patch +++ /dev/null @@ -1,75 +0,0 @@ -Backport of https://github.com/gpac/gpac/commit/bbd741e0e5a6e7e1e90a73c350acc061dde9450b - -NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2021-1299 - ---- gpac-1.0.1+dfsg1.orig/src/isomedia/box_code_base.c -+++ gpac-1.0.1+dfsg1/src/isomedia/box_code_base.c -@@ -577,10 +577,15 @@ GF_Err url_box_read(GF_Box *s, GF_BitStr - GF_DataEntryURLBox *ptr = (GF_DataEntryURLBox *)s; - - if (ptr->size) { -- ptr->location = (char*)gf_malloc((u32) ptr->size); -+ u32 location_size = (u32) ptr->size; -+ if (location_size < 1) { -+ GF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, ("[iso file] Invalid size %llu in svhd box\n", ptr->size)); -+ return GF_ISOM_INVALID_FILE; -+ } -+ ptr->location = (char*)gf_malloc(location_size); - if (! ptr->location) return GF_OUT_OF_MEM; -- gf_bs_read_data(bs, ptr->location, (u32)ptr->size); -- if (ptr->location[ptr->size-1]) { -+ gf_bs_read_data(bs, ptr->location, location_size); -+ if (ptr->location[location_size-1]) { - GF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, ("[iso file] url box location is not 0-terminated\n" )); - return GF_ISOM_INVALID_FILE; - } -@@ -1894,6 +1899,12 @@ GF_Err sdp_box_read(GF_Box *s, GF_BitStr - if (ptr == NULL) return GF_BAD_PARAM; - - length = (u32) (ptr->size); -+ -+ if (length >= (u32)0xFFFFFFFF) { -+ GF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, ("[iso file] Invalid length %lu in sdp box\n", length)); -+ return GF_ISOM_INVALID_FILE; -+ } -+ - //sdp text has no delimiter !!! - ptr->sdpText = (char*)gf_malloc(sizeof(char) * (length+1)); - if (!ptr->sdpText) return GF_OUT_OF_MEM; -@@ -1951,6 +1962,12 @@ GF_Err rtp_hnti_box_read(GF_Box *s, GF_B - ptr->subType = gf_bs_read_u32(bs); - - length = (u32) (ptr->size); -+ -+ if (length >= (u32)0xFFFFFFFF) { -+ GF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, ("[iso file] Invalid length %lu in rtp_hnti box\n", length)); -+ return GF_ISOM_INVALID_FILE; -+ } -+ - //sdp text has no delimiter !!! - ptr->sdpText = (char*)gf_malloc(sizeof(char) * (length+1)); - if (!ptr->sdpText) return GF_OUT_OF_MEM; -@@ -2614,6 +2631,12 @@ GF_Err name_box_read(GF_Box *s, GF_BitSt - GF_NameBox *ptr = (GF_NameBox *)s; - - length = (u32) (ptr->size); -+ -+ if (length >= (u32)0xFFFFFFFF) { -+ GF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, ("[iso file] Invalid length %lu in name box\n", length)); -+ return GF_ISOM_INVALID_FILE; -+ } -+ - ptr->string = (char*)gf_malloc(sizeof(char) * (length+1)); - if (! ptr->string) return GF_OUT_OF_MEM; - -@@ -8437,6 +8460,10 @@ void txtc_box_del(GF_Box *s) - GF_Err txtc_box_read(GF_Box *s, GF_BitStream *bs) - { - GF_TextConfigBox *ptr = (GF_TextConfigBox*)s; -+ if ((u32)ptr->size >= (u32)0xFFFFFFFF) { -+ GF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, ("[iso file] Invalid size %llu in txtc box\n", ptr->size)); -+ return GF_ISOM_INVALID_FILE; -+ } - ptr->config = (char *)gf_malloc(sizeof(char)*((u32) ptr->size+1)); - if (!ptr->config) return GF_OUT_OF_MEM; - gf_bs_read_data(bs, ptr->config, (u32) ptr->size); -- 2.30.2