From bae62d7b1b0c88b786dbd34826901575bfb0cd5d Mon Sep 17 00:00:00 2001
From: Reinhard Tartler <siretart@tauware.de>
Date: Sat, 4 Mar 2023 12:35:12 -0500
Subject: [PATCH] fix DoS in function BS_ReadByte, CVE-2022-29339

---
 debian/patches/CVE-2022-29339.patch | 74 +++++++++++++++++++++++++++++
 debian/patches/series               |  1 +
 2 files changed, 75 insertions(+)
 create mode 100644 debian/patches/CVE-2022-29339.patch

diff --git a/debian/patches/CVE-2022-29339.patch b/debian/patches/CVE-2022-29339.patch
new file mode 100644
index 0000000..f9470e2
--- /dev/null
+++ b/debian/patches/CVE-2022-29339.patch
@@ -0,0 +1,74 @@
+commit c4c76cc6e71f063d7d4664fa803ffea284e69ed9 (HEAD -> master)
+Author: jeanlf <jeanlf@gpac.io>
+Date:   Tue Apr 12 10:56:15 2022 +0200
+
+    fixed #2165
+
+diff --git a/src/isomedia/avc_ext.c b/src/isomedia/avc_ext.c
+index d4a58492b..365fa6b94 100644
+--- a/src/isomedia/avc_ext.c
++++ b/src/isomedia/avc_ext.c
+@@ -3523,6 +3523,11 @@ GF_Err gf_isom_oinf_read_entry(void *entry, GF_BitStream *bs)
+ 			op->layers_info[j].layer_id = gf_bs_read_int(bs, 6);
+ 			op->layers_info[j].is_outputlayer = gf_bs_read_int(bs, 1) ? GF_TRUE : GF_FALSE;
+ 			op->layers_info[j].is_alternate_outputlayer = gf_bs_read_int(bs, 1) ? GF_TRUE : GF_FALSE;
++
++			if (gf_bs_is_overflow(bs)) {
++				gf_free(op);
++				return GF_NON_COMPLIANT_BITSTREAM;
++			}
+ 		}
+ 		op->minPicWidth = gf_bs_read_u16(bs);
+ 		op->minPicHeight = gf_bs_read_u16(bs);
+@@ -3542,6 +3547,10 @@ GF_Err gf_isom_oinf_read_entry(void *entry, GF_BitStream *bs)
+ 			op->maxBitRate = gf_bs_read_u32(bs);
+ 			op->avgBitRate = gf_bs_read_u32(bs);
+ 		}
++		if (gf_bs_is_overflow(bs)) {
++			gf_free(op);
++			return GF_NON_COMPLIANT_BITSTREAM;
++		}
+ 		gf_list_add(ptr->operating_points, op);
+ 	}
+ 	count = gf_bs_read_u8(bs);
+@@ -3561,6 +3570,10 @@ GF_Err gf_isom_oinf_read_entry(void *entry, GF_BitStream *bs)
+ 			if (ptr->scalability_mask & (1 << j))
+ 				dep->dimension_identifier[j] = gf_bs_read_u8(bs);
+ 		}
++		if (gf_bs_is_overflow(bs)) {
++			gf_free(dep);
++			return GF_NON_COMPLIANT_BITSTREAM;
++		}
+ 		gf_list_add(ptr->dependency_layers, dep);
+ 	}
+ 
+diff --git a/src/utils/bitstream.c b/src/utils/bitstream.c
+index 6ea644ca1..a446499c6 100644
+--- a/src/utils/bitstream.c
++++ b/src/utils/bitstream.c
+@@ -375,9 +375,12 @@ static u8 BS_ReadByte(GF_BitStream *bs)
+ 		bs_flush_write_cache(bs);
+ 
+ 	is_eos = gf_feof(bs->stream);
++	//cache not fully read, reset EOS
++	if (bs->cache_read && (bs->cache_read_pos<bs->cache_read_size))
++		is_eos = GF_FALSE;
+ 
+ 	/*we are in FILE mode, test for end of file*/
+-	if (!is_eos || bs->cache_read) {
++	if (!is_eos) {
+ 		u8 res;
+ 		Bool loc_eos=GF_FALSE;
+ 		assert(bs->position<=bs->size);
+@@ -408,7 +411,10 @@ bs_eof:
+ 		bs->EndOfStream(bs->par);
+ 		if (!bs->overflow_state) bs->overflow_state = 1;
+ 	} else {
+-		GF_LOG(GF_LOG_ERROR, GF_LOG_CORE, ("[BS] Attempt to overread bitstream\n"));
++		if (!bs->overflow_state) {
++			bs->overflow_state = 1;
++			GF_LOG(GF_LOG_ERROR, GF_LOG_CORE, ("[BS] Attempt to overread bitstream\n"));
++		}
+ 	}
+ 	assert(bs->position <= 1+bs->size);
+ 	return 0;
diff --git a/debian/patches/series b/debian/patches/series
index db87f3b..9740ec7 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,2 +1,3 @@
 gcc-optflags.patch
 dont-err-build-on-uknown-system.patch
+CVE-2022-29339.patch
-- 
2.30.2