From f99e38180f9588a8c714808e5e7b3e2aa646800e Mon Sep 17 00:00:00 2001 From: Debian Multimedia Maintainers Date: Wed, 1 Sep 2021 20:50:08 +0100 Subject: [PATCH] talos-2021-1299 Backport of https://github.com/gpac/gpac/commit/bbd741e0e5a6e7e1e90a73c350acc061dde9450b Backport of https://github.com/gpac/gpac/commit/bbd741e0e5a6e7e1e90a73c350acc061dde9450b NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2021-1299 Gbp-Pq: Name talos-2021-1299.patch --- src/isomedia/box_code_base.c | 33 ++++++++++++++++++++++++++++++--- 1 file changed, 30 insertions(+), 3 deletions(-) diff --git a/src/isomedia/box_code_base.c b/src/isomedia/box_code_base.c index 1f30b52..be4a85f 100644 --- a/src/isomedia/box_code_base.c +++ b/src/isomedia/box_code_base.c @@ -577,10 +577,15 @@ GF_Err url_box_read(GF_Box *s, GF_BitStream *bs) GF_DataEntryURLBox *ptr = (GF_DataEntryURLBox *)s; if (ptr->size) { - ptr->location = (char*)gf_malloc((u32) ptr->size); + u32 location_size = (u32) ptr->size; + if (location_size < 1) { + GF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, ("[iso file] Invalid size %llu in svhd box\n", ptr->size)); + return GF_ISOM_INVALID_FILE; + } + ptr->location = (char*)gf_malloc(location_size); if (! ptr->location) return GF_OUT_OF_MEM; - gf_bs_read_data(bs, ptr->location, (u32)ptr->size); - if (ptr->location[ptr->size-1]) { + gf_bs_read_data(bs, ptr->location, location_size); + if (ptr->location[location_size-1]) { GF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, ("[iso file] url box location is not 0-terminated\n" )); return GF_ISOM_INVALID_FILE; } @@ -1894,6 +1899,12 @@ GF_Err sdp_box_read(GF_Box *s, GF_BitStream *bs) if (ptr == NULL) return GF_BAD_PARAM; length = (u32) (ptr->size); + + if (length >= (u32)0xFFFFFFFF) { + GF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, ("[iso file] Invalid length %lu in sdp box\n", length)); + return GF_ISOM_INVALID_FILE; + } + //sdp text has no delimiter !!! ptr->sdpText = (char*)gf_malloc(sizeof(char) * (length+1)); if (!ptr->sdpText) return GF_OUT_OF_MEM; @@ -1951,6 +1962,12 @@ GF_Err rtp_hnti_box_read(GF_Box *s, GF_BitStream *bs) ptr->subType = gf_bs_read_u32(bs); length = (u32) (ptr->size); + + if (length >= (u32)0xFFFFFFFF) { + GF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, ("[iso file] Invalid length %lu in rtp_hnti box\n", length)); + return GF_ISOM_INVALID_FILE; + } + //sdp text has no delimiter !!! ptr->sdpText = (char*)gf_malloc(sizeof(char) * (length+1)); if (!ptr->sdpText) return GF_OUT_OF_MEM; @@ -2614,6 +2631,12 @@ GF_Err name_box_read(GF_Box *s, GF_BitStream *bs) GF_NameBox *ptr = (GF_NameBox *)s; length = (u32) (ptr->size); + + if (length >= (u32)0xFFFFFFFF) { + GF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, ("[iso file] Invalid length %lu in name box\n", length)); + return GF_ISOM_INVALID_FILE; + } + ptr->string = (char*)gf_malloc(sizeof(char) * (length+1)); if (! ptr->string) return GF_OUT_OF_MEM; @@ -8437,6 +8460,10 @@ void txtc_box_del(GF_Box *s) GF_Err txtc_box_read(GF_Box *s, GF_BitStream *bs) { GF_TextConfigBox *ptr = (GF_TextConfigBox*)s; + if ((u32)ptr->size >= (u32)0xFFFFFFFF) { + GF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, ("[iso file] Invalid size %llu in txtc box\n", ptr->size)); + return GF_ISOM_INVALID_FILE; + } ptr->config = (char *)gf_malloc(sizeof(char)*((u32) ptr->size+1)); if (!ptr->config) return GF_OUT_OF_MEM; gf_bs_read_data(bs, ptr->config, (u32) ptr->size); -- 2.30.2