From f244c66330dd9699124cd84fcb71b0f9f2168df0 Mon Sep 17 00:00:00 2001 From: Debian Multimedia Maintainers Date: Tue, 7 Mar 2023 06:41:07 -0500 Subject: [PATCH] CVE-2022-29339 commit c4c76cc6e71f063d7d4664fa803ffea284e69ed9 (HEAD -> master) Author: jeanlf Date: Tue Apr 12 10:56:15 2022 +0200 fixed #2165 Gbp-Pq: Name CVE-2022-29339.patch --- src/isomedia/avc_ext.c | 13 +++++++++++++ src/utils/bitstream.c | 10 ++++++++-- 2 files changed, 21 insertions(+), 2 deletions(-) diff --git a/src/isomedia/avc_ext.c b/src/isomedia/avc_ext.c index d4a5849..365fa6b 100644 --- a/src/isomedia/avc_ext.c +++ b/src/isomedia/avc_ext.c @@ -3523,6 +3523,11 @@ GF_Err gf_isom_oinf_read_entry(void *entry, GF_BitStream *bs) op->layers_info[j].layer_id = gf_bs_read_int(bs, 6); op->layers_info[j].is_outputlayer = gf_bs_read_int(bs, 1) ? GF_TRUE : GF_FALSE; op->layers_info[j].is_alternate_outputlayer = gf_bs_read_int(bs, 1) ? GF_TRUE : GF_FALSE; + + if (gf_bs_is_overflow(bs)) { + gf_free(op); + return GF_NON_COMPLIANT_BITSTREAM; + } } op->minPicWidth = gf_bs_read_u16(bs); op->minPicHeight = gf_bs_read_u16(bs); @@ -3542,6 +3547,10 @@ GF_Err gf_isom_oinf_read_entry(void *entry, GF_BitStream *bs) op->maxBitRate = gf_bs_read_u32(bs); op->avgBitRate = gf_bs_read_u32(bs); } + if (gf_bs_is_overflow(bs)) { + gf_free(op); + return GF_NON_COMPLIANT_BITSTREAM; + } gf_list_add(ptr->operating_points, op); } count = gf_bs_read_u8(bs); @@ -3561,6 +3570,10 @@ GF_Err gf_isom_oinf_read_entry(void *entry, GF_BitStream *bs) if (ptr->scalability_mask & (1 << j)) dep->dimension_identifier[j] = gf_bs_read_u8(bs); } + if (gf_bs_is_overflow(bs)) { + gf_free(dep); + return GF_NON_COMPLIANT_BITSTREAM; + } gf_list_add(ptr->dependency_layers, dep); } diff --git a/src/utils/bitstream.c b/src/utils/bitstream.c index 6ea644c..a446499 100644 --- a/src/utils/bitstream.c +++ b/src/utils/bitstream.c @@ -375,9 +375,12 @@ static u8 BS_ReadByte(GF_BitStream *bs) bs_flush_write_cache(bs); is_eos = gf_feof(bs->stream); + //cache not fully read, reset EOS + if (bs->cache_read && (bs->cache_read_poscache_read_size)) + is_eos = GF_FALSE; /*we are in FILE mode, test for end of file*/ - if (!is_eos || bs->cache_read) { + if (!is_eos) { u8 res; Bool loc_eos=GF_FALSE; assert(bs->position<=bs->size); @@ -408,7 +411,10 @@ bs_eof: bs->EndOfStream(bs->par); if (!bs->overflow_state) bs->overflow_state = 1; } else { - GF_LOG(GF_LOG_ERROR, GF_LOG_CORE, ("[BS] Attempt to overread bitstream\n")); + if (!bs->overflow_state) { + bs->overflow_state = 1; + GF_LOG(GF_LOG_ERROR, GF_LOG_CORE, ("[BS] Attempt to overread bitstream\n")); + } } assert(bs->position <= 1+bs->size); return 0; -- 2.30.2