From f639a75741a31ff7c0a4eb672e4f6e4b7bfb37d2 Mon Sep 17 00:00:00 2001
From: Reinhard Tartler <siretart@tauware.de>
Date: Sat, 4 Mar 2023 12:51:07 -0500
Subject: [PATCH] stack overflow when processing ISOM_IOD, CVE-2022-38530

---
 debian/patches/CVE-2022-38530.patch | 51 +++++++++++++++++++++++++++++
 debian/patches/series               |  2 ++
 2 files changed, 53 insertions(+)
 create mode 100644 debian/patches/CVE-2022-38530.patch

diff --git a/debian/patches/CVE-2022-38530.patch b/debian/patches/CVE-2022-38530.patch
new file mode 100644
index 0000000..0a59fa9
--- /dev/null
+++ b/debian/patches/CVE-2022-38530.patch
@@ -0,0 +1,51 @@
+commit 4e56ad72ac1afb4e049a10f2d99e7512d7141f9d
+Author: jeanlf <jeanlf@gpac.io>
+Date:   Tue Jul 12 18:29:36 2022 +0200
+
+    fixed #2216
+
+Index: gpac/src/odf/desc_private.c
+===================================================================
+--- gpac.orig/src/odf/desc_private.c
++++ gpac/src/odf/desc_private.c
+@@ -273,7 +273,7 @@ GF_Err gf_odf_delete_descriptor(GF_Descr
+ //
+ //		READERS
+ //
+-GF_Err gf_odf_read_descriptor(GF_BitStream *bs, GF_Descriptor *desc, u32 DescSize)
++static GF_Err gf_odf_read_descriptor_internal(GF_BitStream *bs, GF_Descriptor *desc, u32 DescSize)
+ {
+ 	switch (desc->tag) {
+ 	case GF_ODF_IOD_TAG :
+@@ -368,7 +368,17 @@ GF_Err gf_odf_read_descriptor(GF_BitStre
+ 	return GF_OK;
+ }
+ 
+-
++GF_Err gf_odf_read_descriptor(GF_BitStream *bs, GF_Descriptor *desc, u32 DescSize)
++{
++	u64 cookie = gf_bs_get_cookie(bs);
++	//we allow 100 max desc in a hierarchy - see issue 2216
++	if (cookie>100)
++		return GF_NON_COMPLIANT_BITSTREAM;
++	gf_bs_set_cookie(bs, cookie+1);
++	GF_Err e = gf_odf_read_descriptor_internal(bs, desc, DescSize);
++	gf_bs_set_cookie(bs, cookie);
++	return e;
++}
+ 
+ 
+ 
+Index: gpac/applications/mp4box/main.c
+===================================================================
+--- gpac.orig/applications/mp4box/main.c
++++ gpac/applications/mp4box/main.c
+@@ -3602,7 +3602,7 @@ GF_Err HintFile(GF_ISOFile *file, u32 MT
+ 
+ 		if (e) {
+ 			M4_LOG(GF_LOG_ERROR, ("Error while hinting (%s)\n", gf_error_to_string(e)));
+-			if (!nb_done) return e;
++			return e;
+ 		}
+ 		init_payt++;
+ 		nb_done ++;
diff --git a/debian/patches/series b/debian/patches/series
index d8f4a91..23d97ef 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -10,3 +10,5 @@ CVE-2022-1441.patch
 CVE-2022-1795.patch
 CVE-2022-2453.patch
 CVE-2022-2454.patch
+CVE-2022-38530.patch
+CVE-2022-36186.patch
-- 
2.30.2