From 265dbe5dbc14c199299496c6db8fce3f76647015 Mon Sep 17 00:00:00 2001 From: V3n3RiX Date: Fri, 21 Sep 2018 18:00:10 +0100 Subject: gentoo resync : 21.09.2018 --- media-libs/libquicktime/files/CVE-2016-2399.patch | 25 ---- .../files/libquicktime-1.2.4-CVE-2016-2399.patch | 25 ++++ .../libquicktime-1.2.4-CVE-2017-9122_et_al.patch | 151 +++++++++++++++++++++ 3 files changed, 176 insertions(+), 25 deletions(-) delete mode 100644 media-libs/libquicktime/files/CVE-2016-2399.patch create mode 100644 media-libs/libquicktime/files/libquicktime-1.2.4-CVE-2016-2399.patch create mode 100644 media-libs/libquicktime/files/libquicktime-1.2.4-CVE-2017-9122_et_al.patch (limited to 'media-libs/libquicktime/files') diff --git a/media-libs/libquicktime/files/CVE-2016-2399.patch b/media-libs/libquicktime/files/CVE-2016-2399.patch deleted file mode 100644 index a1737c0dc0a9..000000000000 --- a/media-libs/libquicktime/files/CVE-2016-2399.patch +++ /dev/null @@ -1,25 +0,0 @@ -https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=855099 -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2399 - -diff --git a/src/util.c b/src/util.c -index d8dc3c3..9422fc5 100644 ---- a/src/util.c -+++ b/src/util.c -@@ -340,9 +340,14 @@ int64_t quicktime_byte_position(quicktime_t *file) - - void quicktime_read_pascal(quicktime_t *file, char *data) - { -- char len = quicktime_read_char(file); -- quicktime_read_data(file, (uint8_t*)data, len); -- data[(int)len] = 0; -+ int len = quicktime_read_char(file); -+ if ((len > 0) && (len < 256)) { -+ /* data[] is expected to be 256 bytes long */ -+ quicktime_read_data(file, (uint8_t*)data, len); -+ data[len] = 0; -+ } else { -+ data[0] = 0; -+ } - } - - void quicktime_write_pascal(quicktime_t *file, char *data) diff --git a/media-libs/libquicktime/files/libquicktime-1.2.4-CVE-2016-2399.patch b/media-libs/libquicktime/files/libquicktime-1.2.4-CVE-2016-2399.patch new file mode 100644 index 000000000000..a1737c0dc0a9 --- /dev/null +++ b/media-libs/libquicktime/files/libquicktime-1.2.4-CVE-2016-2399.patch @@ -0,0 +1,25 @@ +https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=855099 +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2399 + +diff --git a/src/util.c b/src/util.c +index d8dc3c3..9422fc5 100644 +--- a/src/util.c ++++ b/src/util.c +@@ -340,9 +340,14 @@ int64_t quicktime_byte_position(quicktime_t *file) + + void quicktime_read_pascal(quicktime_t *file, char *data) + { +- char len = quicktime_read_char(file); +- quicktime_read_data(file, (uint8_t*)data, len); +- data[(int)len] = 0; ++ int len = quicktime_read_char(file); ++ if ((len > 0) && (len < 256)) { ++ /* data[] is expected to be 256 bytes long */ ++ quicktime_read_data(file, (uint8_t*)data, len); ++ data[len] = 0; ++ } else { ++ data[0] = 0; ++ } + } + + void quicktime_write_pascal(quicktime_t *file, char *data) diff --git a/media-libs/libquicktime/files/libquicktime-1.2.4-CVE-2017-9122_et_al.patch b/media-libs/libquicktime/files/libquicktime-1.2.4-CVE-2017-9122_et_al.patch new file mode 100644 index 000000000000..06fb7b33758b --- /dev/null +++ b/media-libs/libquicktime/files/libquicktime-1.2.4-CVE-2017-9122_et_al.patch @@ -0,0 +1,151 @@ +From: Burkhard Plaum +Origin: https://sourceforge.net/p/libquicktime/mailman/libquicktime-devel/?viewmonth=201706 + +Hi, + +I committed some (mostly trivial) updates to CVS. The following CVE's +are fixed and/or no longer reproducible: + +CVE-2017-9122 +CVE-2017-9123 +CVE-2017-9124 +CVE-2017-9125 +CVE-2017-9126 +CVE-2017-9127 +CVE-2017-9128 + +I was a bit surprised that one simple sanity check fixes a whole bunch of files. + +So it could be, that the problems are still there, but better hidden since the +critical code isn't executed anymore with the sample files I got. + +If someone encounters more crashes, feel free to report them. + +Burkhard + +--- a/include/lqt_funcprotos.h ++++ b/include/lqt_funcprotos.h +@@ -1345,9 +1345,9 @@ int quicktime_write_int32_le(quicktime_t + int quicktime_write_char32(quicktime_t *file, char *string); + float quicktime_read_fixed16(quicktime_t *file); + int quicktime_write_fixed16(quicktime_t *file, float number); +-unsigned long quicktime_read_uint32(quicktime_t *file); +-long quicktime_read_int32(quicktime_t *file); +-long quicktime_read_int32_le(quicktime_t *file); ++uint32_t quicktime_read_uint32(quicktime_t *file); ++int32_t quicktime_read_int32(quicktime_t *file); ++int32_t quicktime_read_int32_le(quicktime_t *file); + int64_t quicktime_read_int64(quicktime_t *file); + int64_t quicktime_read_int64_le(quicktime_t *file); + long quicktime_read_int24(quicktime_t *file); +--- a/src/atom.c ++++ b/src/atom.c +@@ -131,6 +131,9 @@ int quicktime_atom_read_header(quicktime + atom->size = read_size64(header); + atom->end = atom->start + atom->size; + } ++/* Avoid broken files */ ++ if(atom->end > file->total_length) ++ result = 1; + } + + +--- a/src/lqt_quicktime.c ++++ b/src/lqt_quicktime.c +@@ -1788,8 +1788,8 @@ int quicktime_read_info(quicktime_t *fil + quicktime_set_position(file, start_position); + free(temp); + +- quicktime_read_moov(file, &file->moov, &leaf_atom); +- got_header = 1; ++ if(!quicktime_read_moov(file, &file->moov, &leaf_atom)) ++ got_header = 1; + } + else + quicktime_atom_skip(file, &leaf_atom); +--- a/src/moov.c ++++ b/src/moov.c +@@ -218,7 +218,8 @@ int quicktime_read_moov(quicktime_t *fil + if(quicktime_atom_is(&leaf_atom, "trak")) + { + quicktime_trak_t *trak = quicktime_add_trak(file); +- quicktime_read_trak(file, trak, &leaf_atom); ++ if(quicktime_read_trak(file, trak, &leaf_atom)) ++ return 1; + } + else + if(quicktime_atom_is(&leaf_atom, "udta")) +--- a/src/trak.c ++++ b/src/trak.c +@@ -269,6 +269,14 @@ int quicktime_read_trak(quicktime_t *fil + else quicktime_atom_skip(file, &leaf_atom); + } while(quicktime_position(file) < trak_atom->end); + ++ /* Do some sanity checks to prevent later crashes */ ++ if(trak->mdia.minf.is_video || trak->mdia.minf.is_video) ++ { ++ if(!trak->mdia.minf.stbl.stsc.table || ++ !trak->mdia.minf.stbl.stco.table) ++ return 1; ++ } ++ + #if 1 + if(trak->mdia.minf.is_video && + quicktime_match_32(trak->mdia.minf.stbl.stsd.table[0].format, "drac")) +--- a/src/util.c ++++ b/src/util.c +@@ -647,10 +647,10 @@ int quicktime_write_fixed16(quicktime_t + return quicktime_write_data(file, data, 2); + } + +-unsigned long quicktime_read_uint32(quicktime_t *file) ++uint32_t quicktime_read_uint32(quicktime_t *file) + { +- unsigned long result; +- unsigned long a, b, c, d; ++ uint32_t result; ++ uint32_t a, b, c, d; + uint8_t data[4]; + + quicktime_read_data(file, data, 4); +@@ -663,10 +663,10 @@ unsigned long quicktime_read_uint32(quic + return result; + } + +-long quicktime_read_int32(quicktime_t *file) ++int32_t quicktime_read_int32(quicktime_t *file) + { +- unsigned long result; +- unsigned long a, b, c, d; ++ uint32_t result; ++ uint32_t a, b, c, d; + uint8_t data[4]; + + quicktime_read_data(file, data, 4); +@@ -676,13 +676,13 @@ long quicktime_read_int32(quicktime_t *f + d = data[3]; + + result = (a << 24) | (b << 16) | (c << 8) | d; +- return (long)result; ++ return (int32_t)result; + } + +-long quicktime_read_int32_le(quicktime_t *file) ++int32_t quicktime_read_int32_le(quicktime_t *file) + { +- unsigned long result; +- unsigned long a, b, c, d; ++ uint32_t result; ++ uint32_t a, b, c, d; + uint8_t data[4]; + + quicktime_read_data(file, data, 4); +@@ -692,7 +692,7 @@ long quicktime_read_int32_le(quicktime_t + d = data[3]; + + result = (d << 24) | (c << 16) | (b << 8) | a; +- return (long)result; ++ return (int32_t)result; + } + + int64_t quicktime_read_int64(quicktime_t *file) -- cgit v1.2.3