diff options
Diffstat (limited to 'media-libs/libmp4v2/files/libmp4v2-2.0.0-CVE-2018-14325.patch')
-rw-r--r-- | media-libs/libmp4v2/files/libmp4v2-2.0.0-CVE-2018-14325.patch | 60 |
1 files changed, 0 insertions, 60 deletions
diff --git a/media-libs/libmp4v2/files/libmp4v2-2.0.0-CVE-2018-14325.patch b/media-libs/libmp4v2/files/libmp4v2-2.0.0-CVE-2018-14325.patch deleted file mode 100644 index eb23926bb49d..000000000000 --- a/media-libs/libmp4v2/files/libmp4v2-2.0.0-CVE-2018-14325.patch +++ /dev/null @@ -1,60 +0,0 @@ -Upstream: https://github.com/sergiomb2/libmp4v2/commit/9084868fd9f86bee118001c23171e832f15009f4 -Gentoo Bug: https://bugs.gentoo.org/661582 - - -From 9084868fd9f86bee118001c23171e832f15009f4 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?S=C3=A9rgio=20M=2E=20Basto?= <sergio@serjux.com> -Date: Fri, 8 Nov 2019 02:01:32 +0000 -Subject: [PATCH] Fix v3 Integer underflow/overflow in MP4v2 2.0.0 - -Reference: https://www.openwall.com/lists/oss-security/2018/07/16/1 - -For the overflow, we could check the result of the integer multiplication: - -fix vulnerability where an atom list size is enormous -and calculating the number of bytes needed to hold the list overflows -https://github.com/TechSmith/mp4v2/pull/27/commits/70d823ccd8e2d7d0ed9e62fb7e8983d21e6acbeb - -Addresses https://nvd.nist.gov/vuln/detail/CVE-2018-14326 and https://nvd.nist.gov/vuln/detail/CVE-2018-14446 - -For the underflow, we could check if `dataSize >= hdrSize` satisfies: -Throw exception when invalid atom size would cause integer underflow -The calculation `hdrSize - dataSize` can underflow the 64-bit unsigned int dataSize type, which can lead to incorrect results. We throw an exception to stop the code from going any further. - -Addresses https://nvd.nist.gov/vuln/detail/CVE-2018-14325 -Based on https://github.com/TechSmith/mp4v2/commit/e475013c6ef78093055a02b0d035eda0f9f01451 ---- - src/mp4array.h | 2 ++ - src/mp4atom.cpp | 6 ++++++ - 2 files changed, 8 insertions(+) - -diff --git a/src/mp4array.h b/src/mp4array.h -index c49d59b..69d470a 100644 ---- a/src/mp4array.h -+++ b/src/mp4array.h -@@ -102,6 +102,8 @@ class MP4Array { - void Resize(MP4ArrayIndex newSize) { \ - m_numElements = newSize; \ - m_maxNumElements = newSize; \ -+ if ( (uint64_t) m_maxNumElements * sizeof(type) > 0xFFFFFFFF ) \ -+ throw new PlatformException("requested array size exceeds 4GB", ERANGE, __FILE__, __LINE__, __FUNCTION__); /* prevent overflow */ \ - m_elements = (type*)MP4Realloc(m_elements, \ - m_maxNumElements * sizeof(type)); \ - } \ -diff --git a/src/mp4atom.cpp b/src/mp4atom.cpp -index 7a0a53f..f5d5dc0 100644 ---- a/src/mp4atom.cpp -+++ b/src/mp4atom.cpp -@@ -143,6 +143,12 @@ MP4Atom* MP4Atom::ReadAtom(MP4File& file, MP4Atom* pParentAtom) - dataSize = file.GetSize() - pos; - } - -+ if(dataSize < hdrSize) { -+ ostringstream oss; -+ oss << "Invalid atom size in '" << type << "' atom, dataSize = " << dataSize << " cannot be less than hdrSize = " << static_cast<unsigned>( hdrSize ); -+ log.errorf( "%s: \"%s\": %s", __FUNCTION__, file.GetFilename().c_str(), oss.str().c_str() ); -+ throw new Exception( oss.str().c_str(), __FILE__, __LINE__, __FUNCTION__ ); -+ } - dataSize -= hdrSize; - - log.verbose1f("\"%s\": type = \"%s\" data-size = %" PRIu64 " (0x%" PRIx64 ") hdr %u", |