erkanisik
/
main
mirror da https://github.com/pisilinux/main.git


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152
							From: Burkhard Plaum <plaum@ipf.uni-stuttgart.de>
Origin: https://sourceforge.net/p/libquicktime/mailman/libquicktime-devel/?viewmonth=201706

Hi,

I committed some (mostly trivial) updates to CVS. The following CVE's
are fixed and/or no longer reproducible:

CVE-2017-9122
CVE-2017-9123
CVE-2017-9124
CVE-2017-9125
CVE-2017-9126
CVE-2017-9127
CVE-2017-9128

I was a bit surprised that one simple sanity check fixes a whole bunch of files.

So it could be, that the problems are still there, but better hidden since the
critical code isn't executed anymore with the sample files I got.

If someone encounters more crashes, feel free to report them.

Burkhard

--- a/include/lqt_funcprotos.h
+++ b/include/lqt_funcprotos.h
@@ -1345,9 +1345,9 @@ int quicktime_write_int32_le(quicktime_t
 int quicktime_write_char32(quicktime_t *file, char *string);
 float quicktime_read_fixed16(quicktime_t *file);
 int quicktime_write_fixed16(quicktime_t *file, float number);
-unsigned long quicktime_read_uint32(quicktime_t *file);
-long quicktime_read_int32(quicktime_t *file);
-long quicktime_read_int32_le(quicktime_t *file);
+uint32_t quicktime_read_uint32(quicktime_t *file);
+int32_t quicktime_read_int32(quicktime_t *file);
+int32_t quicktime_read_int32_le(quicktime_t *file);
 int64_t quicktime_read_int64(quicktime_t *file);
 int64_t quicktime_read_int64_le(quicktime_t *file);
 long quicktime_read_int24(quicktime_t *file);
--- a/src/atom.c
+++ b/src/atom.c
@@ -131,6 +131,9 @@ int quicktime_atom_read_header(quicktime
 			atom->size = read_size64(header);
 			atom->end = atom->start + atom->size;
 		}
+/* Avoid broken files */
+        if(atom->end > file->total_length)
+          result = 1;
 	}
 
 
--- a/src/lqt_quicktime.c
+++ b/src/lqt_quicktime.c
@@ -1788,8 +1788,8 @@ int quicktime_read_info(quicktime_t *fil
                 quicktime_set_position(file, start_position);
                 free(temp);
 
-                quicktime_read_moov(file, &file->moov, &leaf_atom);
-                got_header = 1;
+                if(!quicktime_read_moov(file, &file->moov, &leaf_atom))
+                  got_header = 1;
                 }
               else
                 quicktime_atom_skip(file, &leaf_atom);
--- a/src/moov.c
+++ b/src/moov.c
@@ -218,7 +218,8 @@ int quicktime_read_moov(quicktime_t *fil
 		if(quicktime_atom_is(&leaf_atom, "trak"))
 		{
 			quicktime_trak_t *trak = quicktime_add_trak(file);
-			quicktime_read_trak(file, trak, &leaf_atom);
+			if(quicktime_read_trak(file, trak, &leaf_atom))
+                          return 1;
 		}
 		else
 		if(quicktime_atom_is(&leaf_atom, "udta"))
--- a/src/trak.c
+++ b/src/trak.c
@@ -269,6 +269,14 @@ int quicktime_read_trak(quicktime_t *fil
     else quicktime_atom_skip(file, &leaf_atom);
     } while(quicktime_position(file) < trak_atom->end);
 
+  /* Do some sanity checks to prevent later crashes */
+  if(trak->mdia.minf.is_video || trak->mdia.minf.is_video)
+    {
+    if(!trak->mdia.minf.stbl.stsc.table ||
+       !trak->mdia.minf.stbl.stco.table)
+      return 1;
+    }
+
 #if 1 
   if(trak->mdia.minf.is_video &&
      quicktime_match_32(trak->mdia.minf.stbl.stsd.table[0].format, "drac"))
--- a/src/util.c
+++ b/src/util.c
@@ -647,10 +647,10 @@ int quicktime_write_fixed16(quicktime_t
 	return quicktime_write_data(file, data, 2);
 }
 
-unsigned long quicktime_read_uint32(quicktime_t *file)
+uint32_t quicktime_read_uint32(quicktime_t *file)
 {
-	unsigned long result;
-	unsigned long a, b, c, d;
+	uint32_t result;
+	uint32_t a, b, c, d;
 	uint8_t data[4];
 
 	quicktime_read_data(file, data, 4);
@@ -663,10 +663,10 @@ unsigned long quicktime_read_uint32(quic
 	return result;
 }
 
-long quicktime_read_int32(quicktime_t *file)
+int32_t quicktime_read_int32(quicktime_t *file)
 {
-	unsigned long result;
-	unsigned long a, b, c, d;
+	uint32_t result;
+	uint32_t a, b, c, d;
 	uint8_t data[4];
 
 	quicktime_read_data(file, data, 4);
@@ -676,13 +676,13 @@ long quicktime_read_int32(quicktime_t *f
 	d = data[3];
 
 	result = (a << 24) | (b << 16) | (c << 8) | d;
-	return (long)result;
+	return (int32_t)result;
 }
 
-long quicktime_read_int32_le(quicktime_t *file)
+int32_t quicktime_read_int32_le(quicktime_t *file)
 {
-	unsigned long result;
-	unsigned long a, b, c, d;
+	uint32_t result;
+	uint32_t a, b, c, d;
 	uint8_t data[4];
 
 	quicktime_read_data(file, data, 4);
@@ -692,7 +692,7 @@ long quicktime_read_int32_le(quicktime_t
 	d = data[3];
 
 	result = (d << 24) | (c << 16) | (b << 8) | a;
-	return (long)result;
+	return (int32_t)result;
 }
 
 int64_t quicktime_read_int64(quicktime_t *file)