152 lines
4.5 KiB
Diff
152 lines
4.5 KiB
Diff
|
From: Burkhard Plaum <plaum@ipf.uni-stuttgart.de>
|
||
|
Origin: https://sourceforge.net/p/libquicktime/mailman/libquicktime-devel/?viewmonth=201706
|
||
|
|
||
|
Hi,
|
||
|
|
||
|
I committed some (mostly trivial) updates to CVS. The following CVE's
|
||
|
are fixed and/or no longer reproducible:
|
||
|
|
||
|
CVE-2017-9122
|
||
|
CVE-2017-9123
|
||
|
CVE-2017-9124
|
||
|
CVE-2017-9125
|
||
|
CVE-2017-9126
|
||
|
CVE-2017-9127
|
||
|
CVE-2017-9128
|
||
|
|
||
|
I was a bit surprised that one simple sanity check fixes a whole bunch of files.
|
||
|
|
||
|
So it could be, that the problems are still there, but better hidden since the
|
||
|
critical code isn't executed anymore with the sample files I got.
|
||
|
|
||
|
If someone encounters more crashes, feel free to report them.
|
||
|
|
||
|
Burkhard
|
||
|
|
||
|
--- a/include/lqt_funcprotos.h
|
||
|
+++ b/include/lqt_funcprotos.h
|
||
|
@@ -1345,9 +1345,9 @@ int quicktime_write_int32_le(quicktime_t
|
||
|
int quicktime_write_char32(quicktime_t *file, char *string);
|
||
|
float quicktime_read_fixed16(quicktime_t *file);
|
||
|
int quicktime_write_fixed16(quicktime_t *file, float number);
|
||
|
-unsigned long quicktime_read_uint32(quicktime_t *file);
|
||
|
-long quicktime_read_int32(quicktime_t *file);
|
||
|
-long quicktime_read_int32_le(quicktime_t *file);
|
||
|
+uint32_t quicktime_read_uint32(quicktime_t *file);
|
||
|
+int32_t quicktime_read_int32(quicktime_t *file);
|
||
|
+int32_t quicktime_read_int32_le(quicktime_t *file);
|
||
|
int64_t quicktime_read_int64(quicktime_t *file);
|
||
|
int64_t quicktime_read_int64_le(quicktime_t *file);
|
||
|
long quicktime_read_int24(quicktime_t *file);
|
||
|
--- a/src/atom.c
|
||
|
+++ b/src/atom.c
|
||
|
@@ -131,6 +131,9 @@ int quicktime_atom_read_header(quicktime
|
||
|
atom->size = read_size64(header);
|
||
|
atom->end = atom->start + atom->size;
|
||
|
}
|
||
|
+/* Avoid broken files */
|
||
|
+ if(atom->end > file->total_length)
|
||
|
+ result = 1;
|
||
|
}
|
||
|
|
||
|
|
||
|
--- a/src/lqt_quicktime.c
|
||
|
+++ b/src/lqt_quicktime.c
|
||
|
@@ -1788,8 +1788,8 @@ int quicktime_read_info(quicktime_t *fil
|
||
|
quicktime_set_position(file, start_position);
|
||
|
free(temp);
|
||
|
|
||
|
- quicktime_read_moov(file, &file->moov, &leaf_atom);
|
||
|
- got_header = 1;
|
||
|
+ if(!quicktime_read_moov(file, &file->moov, &leaf_atom))
|
||
|
+ got_header = 1;
|
||
|
}
|
||
|
else
|
||
|
quicktime_atom_skip(file, &leaf_atom);
|
||
|
--- a/src/moov.c
|
||
|
+++ b/src/moov.c
|
||
|
@@ -218,7 +218,8 @@ int quicktime_read_moov(quicktime_t *fil
|
||
|
if(quicktime_atom_is(&leaf_atom, "trak"))
|
||
|
{
|
||
|
quicktime_trak_t *trak = quicktime_add_trak(file);
|
||
|
- quicktime_read_trak(file, trak, &leaf_atom);
|
||
|
+ if(quicktime_read_trak(file, trak, &leaf_atom))
|
||
|
+ return 1;
|
||
|
}
|
||
|
else
|
||
|
if(quicktime_atom_is(&leaf_atom, "udta"))
|
||
|
--- a/src/trak.c
|
||
|
+++ b/src/trak.c
|
||
|
@@ -269,6 +269,14 @@ int quicktime_read_trak(quicktime_t *fil
|
||
|
else quicktime_atom_skip(file, &leaf_atom);
|
||
|
} while(quicktime_position(file) < trak_atom->end);
|
||
|
|
||
|
+ /* Do some sanity checks to prevent later crashes */
|
||
|
+ if(trak->mdia.minf.is_video || trak->mdia.minf.is_video)
|
||
|
+ {
|
||
|
+ if(!trak->mdia.minf.stbl.stsc.table ||
|
||
|
+ !trak->mdia.minf.stbl.stco.table)
|
||
|
+ return 1;
|
||
|
+ }
|
||
|
+
|
||
|
#if 1
|
||
|
if(trak->mdia.minf.is_video &&
|
||
|
quicktime_match_32(trak->mdia.minf.stbl.stsd.table[0].format, "drac"))
|
||
|
--- a/src/util.c
|
||
|
+++ b/src/util.c
|
||
|
@@ -647,10 +647,10 @@ int quicktime_write_fixed16(quicktime_t
|
||
|
return quicktime_write_data(file, data, 2);
|
||
|
}
|
||
|
|
||
|
-unsigned long quicktime_read_uint32(quicktime_t *file)
|
||
|
+uint32_t quicktime_read_uint32(quicktime_t *file)
|
||
|
{
|
||
|
- unsigned long result;
|
||
|
- unsigned long a, b, c, d;
|
||
|
+ uint32_t result;
|
||
|
+ uint32_t a, b, c, d;
|
||
|
uint8_t data[4];
|
||
|
|
||
|
quicktime_read_data(file, data, 4);
|
||
|
@@ -663,10 +663,10 @@ unsigned long quicktime_read_uint32(quic
|
||
|
return result;
|
||
|
}
|
||
|
|
||
|
-long quicktime_read_int32(quicktime_t *file)
|
||
|
+int32_t quicktime_read_int32(quicktime_t *file)
|
||
|
{
|
||
|
- unsigned long result;
|
||
|
- unsigned long a, b, c, d;
|
||
|
+ uint32_t result;
|
||
|
+ uint32_t a, b, c, d;
|
||
|
uint8_t data[4];
|
||
|
|
||
|
quicktime_read_data(file, data, 4);
|
||
|
@@ -676,13 +676,13 @@ long quicktime_read_int32(quicktime_t *f
|
||
|
d = data[3];
|
||
|
|
||
|
result = (a << 24) | (b << 16) | (c << 8) | d;
|
||
|
- return (long)result;
|
||
|
+ return (int32_t)result;
|
||
|
}
|
||
|
|
||
|
-long quicktime_read_int32_le(quicktime_t *file)
|
||
|
+int32_t quicktime_read_int32_le(quicktime_t *file)
|
||
|
{
|
||
|
- unsigned long result;
|
||
|
- unsigned long a, b, c, d;
|
||
|
+ uint32_t result;
|
||
|
+ uint32_t a, b, c, d;
|
||
|
uint8_t data[4];
|
||
|
|
||
|
quicktime_read_data(file, data, 4);
|
||
|
@@ -692,7 +692,7 @@ long quicktime_read_int32_le(quicktime_t
|
||
|
d = data[3];
|
||
|
|
||
|
result = (d << 24) | (c << 16) | (b << 8) | a;
|
||
|
- return (long)result;
|
||
|
+ return (int32_t)result;
|
||
|
}
|
||
|
|
||
|
int64_t quicktime_read_int64(quicktime_t *file)
|