Package: gpac / 0.7.1+dfsg1-3

CVE-2018-7752.patch Patch series | download
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
Author: Aurelien David <aurelien.david@telecom-paristech.fr>
Date:   Tue Mar 6 11:23:31 2018 +0100
Description: CVE-2018-7752
Upstream: commit 90dc7f853d31b0a4e9441cba97feccf36d8b69a4

fix some exploitable overflows (#994, #997)

--- a/include/gpac/tools.h
+++ b/include/gpac/tools.h
@@ -1067,6 +1067,7 @@ void gf_fm_request_call(u32 type, u32 pa
 
 /* \endcond */
 
+#define ARRAY_LENGTH(a) (sizeof(a) / sizeof((a)[0]))
 
 #ifdef __cplusplus
 }
--- a/src/isomedia/avc_ext.c
+++ b/src/isomedia/avc_ext.c
@@ -2361,6 +2361,8 @@ GF_Err gf_isom_oinf_read_entry(void *ent
 		op->output_layer_set_idx = gf_bs_read_u16(bs);
 		op->max_temporal_id = gf_bs_read_u8(bs);
 		op->layer_count = gf_bs_read_u8(bs);
+		if (op->layer_count > ARRAY_LENGTH(op->layers_info))
+			return GF_NON_COMPLIANT_BITSTREAM;
 		for (j = 0; j < op->layer_count; j++) {
 			op->layers_info[j].ptl_idx = gf_bs_read_u8(bs);
 			op->layers_info[j].layer_id = gf_bs_read_int(bs, 6);
--- a/src/media_tools/av_parsers.c
+++ b/src/media_tools/av_parsers.c
@@ -2386,6 +2386,10 @@ s32 gf_media_avc_read_sps(const char *sp
 		sps->offset_for_non_ref_pic = bs_get_se(bs);
 		sps->offset_for_top_to_bottom_field = bs_get_se(bs);
 		sps->poc_cycle_length = bs_get_ue(bs);
+		if (sps->poc_cycle_length > ARRAY_LENGTH(sps->offset_for_ref_frame)) {
+			GF_LOG(GF_LOG_ERROR, GF_LOG_CODING, ("[avc-h264] offset_for_ref_frame overflow from poc_cycle_length\n"));
+			goto exit;
+		}
 		for(i=0; i<sps->poc_cycle_length; i++) sps->offset_for_ref_frame[i] = bs_get_se(bs);
 	}
 	if (sps->poc_type > 2) {