Package: gpac / 0.7.1+dfsg1-3

CVE-2019-11221.patch Patch series | download
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
From f4616202e5578e65746cf7e7ceeba63bee1b094b Mon Sep 17 00:00:00 2001
From: Aurelien David <aurelien.david@telecom-paristech.fr>
Date: Thu, 11 Apr 2019 14:18:58 +0200
Subject: [PATCH] fix a bunch of vsprintf -> vsnprintf

closes #1203
---
 applications/mp4client/main.c         |  2 +-
 applications/osmo4_sym/osmo4_view.cpp |  2 +-
 src/media_tools/media_export.c        |  2 +-
 src/media_tools/media_import.c        |  2 +-
 src/scene_manager/loader_bt.c         |  4 ++--
 src/scene_manager/loader_isom.c       |  2 +-
 src/scene_manager/loader_qt.c         |  2 +-
 src/scene_manager/loader_svg.c        |  8 ++++----
 src/scene_manager/loader_xmt.c        | 14 +++++++-------
 src/scene_manager/swf_parse.c         |  6 +++---
 src/scene_manager/swf_svg.c           |  2 +-
 src/scenegraph/xbl_process.c          |  2 +-
 src/utils/alloc.c                     |  2 +-
 src/utils/xml_parser.c                | 24 +++++++++++++-----------
 15 files changed, 49 insertions(+), 47 deletions(-)

--- a/applications/mp4client/main.c
+++ b/applications/mp4client/main.c
@@ -1038,7 +1038,7 @@ static void on_gpac_log(void *cbk, GF_LO
 
 	if (rti_logs && (lm & GF_LOG_RTI)) {
 		char szMsg[2048];
-		vsprintf(szMsg, fmt, list);
+		vsnprintf(szMsg, 2048, fmt, list);
 		UpdateRTInfo(szMsg + 6 /*"[RTI] "*/);
 	} else {
 		if (log_time_start) {
--- a/src/media_tools/media_export.c
+++ b/src/media_tools/media_export.c
@@ -57,7 +57,7 @@ static GF_Err gf_export_message(GF_Media
 		va_list args;
 		char szMsg[1024];
 		va_start(args, format);
-		vsprintf(szMsg, format, args);
+		vsnprintf(szMsg, 1024, format, args);
 		va_end(args);
 		GF_LOG((u32) (e ? GF_LOG_ERROR : GF_LOG_WARNING), GF_LOG_AUTHOR, ("%s\n", szMsg) );
 	}
--- a/src/media_tools/media_import.c
+++ b/src/media_tools/media_import.c
@@ -52,7 +52,7 @@ GF_Err gf_import_message(GF_MediaImporte
 		va_list args;
 		char szMsg[1024];
 		va_start(args, format);
-		vsprintf(szMsg, format, args);
+		vsnprintf(szMsg, 1024, format, args);
 		va_end(args);
 		GF_LOG((u32) (e ? GF_LOG_WARNING : GF_LOG_INFO), GF_LOG_AUTHOR, ("%s\n", szMsg) );
 	}
--- a/src/scene_manager/loader_bt.c
+++ b/src/scene_manager/loader_bt.c
@@ -121,7 +121,7 @@ static GF_Err gf_bt_report(GF_BTParser *
 		char szMsg[2048];
 		va_list args;
 		va_start(args, format);
-		vsprintf(szMsg, format, args);
+		vsnprintf(szMsg, 2048, format, args);
 		va_end(args);
 		GF_LOG((u32) (e ? GF_LOG_ERROR : GF_LOG_WARNING), GF_LOG_PARSER, ("[BT/WRL Parsing] %s (line %d)\n", szMsg, parser->line));
 	}
--- a/src/scene_manager/loader_isom.c
+++ b/src/scene_manager/loader_isom.c
@@ -144,7 +144,7 @@ static void mp4_report(GF_SceneLoader *l
 		char szMsg[1024];
 		va_list args;
 		va_start(args, format);
-		vsprintf(szMsg, format, args);
+		vsnprintf(szMsg, 1024, format, args);
 		va_end(args);
 		GF_LOG((u32) (e ? GF_LOG_ERROR : GF_LOG_WARNING), GF_LOG_PARSER, ("[MP4 Loading] %s\n", szMsg) );
 	}
--- a/src/scene_manager/loader_qt.c
+++ b/src/scene_manager/loader_qt.c
@@ -40,7 +40,7 @@ static GF_Err gf_qt_report(GF_SceneLoade
 		char szMsg[1024];
 		va_list args;
 		va_start(args, format);
-		vsprintf(szMsg, format, args);
+		vsnprintf(szMsg, 1024, format, args);
 		va_end(args);
 		GF_LOG((u32) (e ? GF_LOG_ERROR : GF_LOG_WARNING), GF_LOG_PARSER, ("[QT Parsing] %s\n", szMsg) );
 	}
--- a/src/scene_manager/loader_svg.c
+++ b/src/scene_manager/loader_svg.c
@@ -134,7 +134,7 @@ static GF_Err svg_report(GF_SVG_Parser *
 		char szMsg[2048];
 		va_list args;
 		va_start(args, format);
-		vsprintf(szMsg, format, args);
+		vsnprintf(szMsg, 2048, format, args);
 		va_end(args);
 		GF_LOG((u32) (e ? GF_LOG_ERROR : GF_LOG_WARNING), GF_LOG_PARSER, ("[SVG Parsing] line %d - %s\n", gf_xml_sax_get_line(parser->sax_parser), szMsg));
 	}
--- a/src/scene_manager/loader_xmt.c
+++ b/src/scene_manager/loader_xmt.c
@@ -144,7 +144,7 @@ static GF_Err xmt_report(GF_XMTParser *p
 		char szMsg[2048];
 		va_list args;
 		va_start(args, format);
-		vsprintf(szMsg, format, args);
+		vsnprintf(szMsg, 2048, format, args);
 		va_end(args);
 		GF_LOG((u32) (e ? GF_LOG_ERROR : GF_LOG_WARNING), GF_LOG_PARSER, ("[XMT Parsing] %s (line %d)\n", szMsg, gf_xml_sax_get_line(parser->sax_parser)) );
 	}
--- a/src/scene_manager/swf_parse.c
+++ b/src/scene_manager/swf_parse.c
@@ -2428,7 +2428,7 @@ void swf_report(SWFReader *read, GF_Err
 		char szMsg[2048];
 		va_list args;
 		va_start(args, format);
-		vsprintf(szMsg, format, args);
+		vsnprintf(szMsg, 2048, format, args);
 		va_end(args);
 		GF_LOG((u32) (e ? GF_LOG_ERROR : GF_LOG_WARNING), GF_LOG_PARSER, ("[SWF Parsing] %s (frame %d)\n", szMsg, read->current_frame+1) );
 	}
--- a/src/scene_manager/swf_svg.c
+++ b/src/scene_manager/swf_svg.c
@@ -51,7 +51,7 @@ static void swf_svg_print(SWFReader *rea
 
 	/* print the line */
 	va_start(args, format);
-	vsprintf(line, format, args);
+	vsnprintf(line, 2000, format, args);
 	va_end(args);
 	/* add the line to the buffer */
 	line_length = (u32)strlen(line);
--- a/src/scenegraph/xbl_process.c
+++ b/src/scenegraph/xbl_process.c
@@ -61,7 +61,7 @@ static GF_Err xbl_parse_report(GF_XBL_Pa
 		char szMsg[2048];
 		va_list args;
 		va_start(args, format);
-		vsprintf(szMsg, format, args);
+		vsnprintf(szMsg, 2048, format, args);
 		va_end(args);
 		GF_LOG((u32) (e ? GF_LOG_ERROR : GF_LOG_WARNING), GF_LOG_PARSER, ("[XBL Parsing] line %d - %s\n", gf_xml_sax_get_line(parser->sax_parser), szMsg));
 	}
--- a/src/utils/alloc.c
+++ b/src/utils/alloc.c
@@ -815,7 +815,7 @@ static void gf_memory_log(unsigned int l
 	char msg[1024];
 	assert(strlen(fmt) < 200);
 	va_start(vl, fmt);
-	vsprintf(msg, fmt, vl);
+	vsnprintf(msg, 1024, fmt, vl);
 	GF_LOG(level, GF_LOG_MEMORY, (msg));
 	va_end(vl);
 }
--- a/src/utils/xml_parser.c
+++ b/src/utils/xml_parser.c
@@ -220,14 +220,16 @@ static void format_sax_error(GF_SAXParse
 	char szM[20];
 
 	va_start(args, fmt);
-	vsprintf(parser->err_msg, fmt, args);
+	vsnprintf(parser->err_msg, ARRAY_LENGTH(parser->err_msg), fmt, args);
 	va_end(args);
 
-	sprintf(szM, " - Line %d: ", parser->line + 1);
-	strcat(parser->err_msg, szM);
-	len = (u32) strlen(parser->err_msg);
-	strncpy(parser->err_msg + len, parser->buffer+ (linepos ? linepos : parser->current_pos), 10);
-	parser->err_msg[len + 10] = 0;
+	if (strlen(parser->err_msg)+30 < ARRAY_LENGTH(parser->err_msg)) {
+		snprintf(szM, 20, " - Line %d: ", parser->line + 1);
+		strcat(parser->err_msg, szM);
+		len = (u32) strlen(parser->err_msg);
+		strncpy(parser->err_msg + len, parser->buffer+ (linepos ? linepos : parser->current_pos), 10);
+		parser->err_msg[len + 10] = 0;
+	}
 	parser->sax_state = SAX_STATE_SYNTAX_ERROR;
 }