rpms/libquicktime
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
main
libquicktime/libquicktime-1.2.4-CVE-2017-9122.patch

152 lines
4.5 KiB
Diff
Raw Permalink Blame History

From: Burkhard Plaum <plaum@ipf.uni-stuttgart.de>
Origin: https://sourceforge.net/p/libquicktime/mailman/libquicktime-devel/?viewmonth=201706
Hi,
I committed some (mostly trivial) updates to CVS. The following CVE's
are fixed and/or no longer reproducible:
CVE-2017-9122
CVE-2017-9123
CVE-2017-9124
CVE-2017-9125
CVE-2017-9126
CVE-2017-9127
CVE-2017-9128
I was a bit surprised that one simple sanity check fixes a whole bunch of files.
So it could be, that the problems are still there, but better hidden since the
critical code isn't executed anymore with the sample files I got.
If someone encounters more crashes, feel free to report them.
Burkhard
--- a/include/lqt_funcprotos.h
+++ b/include/lqt_funcprotos.h
@@ -1345,9 +1345,9 @@ int quicktime_write_int32_le(quicktime_t
int quicktime_write_char32(quicktime_t *file, char *string);
float quicktime_read_fixed16(quicktime_t *file);
int quicktime_write_fixed16(quicktime_t *file, float number);
-unsigned long quicktime_read_uint32(quicktime_t *file);
-long quicktime_read_int32(quicktime_t *file);
-long quicktime_read_int32_le(quicktime_t *file);
+uint32_t quicktime_read_uint32(quicktime_t *file);
+int32_t quicktime_read_int32(quicktime_t *file);
+int32_t quicktime_read_int32_le(quicktime_t *file);
int64_t quicktime_read_int64(quicktime_t *file);
int64_t quicktime_read_int64_le(quicktime_t *file);
long quicktime_read_int24(quicktime_t *file);
--- a/src/atom.c
+++ b/src/atom.c
@@ -131,6 +131,9 @@ int quicktime_atom_read_header(quicktime
atom->size = read_size64(header);
atom->end = atom->start + atom->size;
}
+/* Avoid broken files */
+ if(atom->end > file->total_length)
+ result = 1;
}
--- a/src/lqt_quicktime.c
+++ b/src/lqt_quicktime.c
@@ -1788,8 +1788,8 @@ int quicktime_read_info(quicktime_t *fil
quicktime_set_position(file, start_position);
free(temp);
- quicktime_read_moov(file, &file->moov, &leaf_atom);
- got_header = 1;
+ if(!quicktime_read_moov(file, &file->moov, &leaf_atom))
+ got_header = 1;
}
else
quicktime_atom_skip(file, &leaf_atom);
--- a/src/moov.c
+++ b/src/moov.c
@@ -218,7 +218,8 @@ int quicktime_read_moov(quicktime_t *fil
if(quicktime_atom_is(&leaf_atom, "trak"))
{
quicktime_trak_t *trak = quicktime_add_trak(file);
- quicktime_read_trak(file, trak, &leaf_atom);
+ if(quicktime_read_trak(file, trak, &leaf_atom))
+ return 1;
}
else
if(quicktime_atom_is(&leaf_atom, "udta"))
--- a/src/trak.c
+++ b/src/trak.c
@@ -269,6 +269,14 @@ int quicktime_read_trak(quicktime_t *fil
else quicktime_atom_skip(file, &leaf_atom);
} while(quicktime_position(file) < trak_atom->end);
+ /* Do some sanity checks to prevent later crashes */
+ if(trak->mdia.minf.is_video || trak->mdia.minf.is_video)
+ {
+ if(!trak->mdia.minf.stbl.stsc.table ||
+ !trak->mdia.minf.stbl.stco.table)
+ return 1;
+ }
+
#if 1
if(trak->mdia.minf.is_video &&
quicktime_match_32(trak->mdia.minf.stbl.stsd.table[0].format, "drac"))
--- a/src/util.c
+++ b/src/util.c
@@ -647,10 +647,10 @@ int quicktime_write_fixed16(quicktime_t
return quicktime_write_data(file, data, 2);
}
-unsigned long quicktime_read_uint32(quicktime_t *file)
+uint32_t quicktime_read_uint32(quicktime_t *file)
{
- unsigned long result;
- unsigned long a, b, c, d;
+ uint32_t result;
+ uint32_t a, b, c, d;
uint8_t data[4];
quicktime_read_data(file, data, 4);
@@ -663,10 +663,10 @@ unsigned long quicktime_read_uint32(quic
return result;
}
-long quicktime_read_int32(quicktime_t *file)
+int32_t quicktime_read_int32(quicktime_t *file)
{
- unsigned long result;
- unsigned long a, b, c, d;
+ uint32_t result;
+ uint32_t a, b, c, d;
uint8_t data[4];
quicktime_read_data(file, data, 4);
@@ -676,13 +676,13 @@ long quicktime_read_int32(quicktime_t *f
d = data[3];
result = (a << 24) | (b << 16) | (c << 8) | d;
- return (long)result;
+ return (int32_t)result;
}
-long quicktime_read_int32_le(quicktime_t *file)
+int32_t quicktime_read_int32_le(quicktime_t *file)
{
- unsigned long result;
- unsigned long a, b, c, d;
+ uint32_t result;
+ uint32_t a, b, c, d;
uint8_t data[4];
quicktime_read_data(file, data, 4);
@@ -692,7 +692,7 @@ long quicktime_read_int32_le(quicktime_t
d = data[3];
result = (d << 24) | (c << 16) | (b << 8) | a;
- return (long)result;
+ return (int32_t)result;
}
int64_t quicktime_read_int64(quicktime_t *file)
Reference in New Issue View Git Blame Copy Permalink