ref: ef31633af61cd197e50a65893c85a3b36c2c3025
parent: 85420dc7813c4b7da372df15275154aa5bbc8b0a
author: knik <knik@users.sourceforge.net>
date: Fri Jul 14 06:49:28 EDT 2017
even better fix for multiple vulnerabilities
--- a/common/mp4ff/mp4atom.c
+++ b/common/mp4ff/mp4atom.c
@@ -259,7 +259,7 @@
static int32_t mp4ff_read_stsz(mp4ff_t *f)
{if (f->total_tracks == 0)
- return -1;
+ return f->error++;
mp4ff_read_char(f); /* version */
mp4ff_read_int24(f); /* flags */
@@ -273,9 +273,9 @@
(int32_t*)malloc(f->track[f->total_tracks - 1]->stsz_sample_count*sizeof(int32_t));
if (!f->track[f->total_tracks - 1]->stsz_table)
- return -1;
+ return f->error++;
- for (i = 0; i < f->track[f->total_tracks - 1]->stsz_sample_count && !f->read_error; i++)
+ for (i = 0; i < f->track[f->total_tracks - 1]->stsz_sample_count && !f->stream->read_error; i++)
{f->track[f->total_tracks - 1]->stsz_table[i] = mp4ff_read_int32(f);
}
@@ -290,7 +290,7 @@
uint32_t temp;
if (f->total_tracks == 0)
- return -1;
+ return f->error++;
mp4ff_read_char(f); /* version */
mp4ff_read_int24(f); /* flags */
@@ -357,7 +357,7 @@
uint8_t header_size = 0;
if (f->total_tracks == 0)
- return -1;
+ return f->error++;
for (i = 0; i < 6; i++)
{@@ -392,8 +392,9 @@
int32_t i;
uint8_t header_size = 0;
+ /* CVE-2017-9218 */
if (f->total_tracks == 0)
- return -1;
+ return f->error++;
mp4ff_read_char(f); /* version */
mp4ff_read_int24(f); /* flags */
@@ -400,7 +401,7 @@
f->track[f->total_tracks - 1]->stsd_entry_count = mp4ff_read_int32(f);
- for (i = 0; i < f->track[f->total_tracks - 1]->stsd_entry_count && !f->read_error; i++)
+ for (i = 0; i < f->track[f->total_tracks - 1]->stsd_entry_count && !f->stream->read_error; i++) /* CVE-2017-9253 */
{uint64_t skip = mp4ff_position(f);
uint64_t size;
@@ -431,7 +432,7 @@
int32_t i;
if (f->total_tracks == 0)
- return -1;
+ return f->error++;
mp4ff_read_char(f); /* version */
mp4ff_read_int24(f); /* flags */
@@ -444,15 +445,16 @@
f->track[f->total_tracks - 1]->stsc_sample_desc_index =
(int32_t*)malloc(f->track[f->total_tracks - 1]->stsc_entry_count*sizeof(int32_t));
+ /* CVE-2017-9219 */
if (!f->track[f->total_tracks - 1]->stsc_first_chunk)
{- return -1;
+ return f->error++;
}
if (!f->track[f->total_tracks - 1]->stsc_samples_per_chunk)
{free(f->track[f->total_tracks - 1]->stsc_first_chunk);
f->track[f->total_tracks - 1]->stsc_first_chunk = NULL;
- return -1;
+ return f->error++;
}
if (!f->track[f->total_tracks - 1]->stsc_sample_desc_index)
{@@ -460,10 +462,10 @@
f->track[f->total_tracks - 1]->stsc_first_chunk = NULL;
free(f->track[f->total_tracks - 1]->stsc_samples_per_chunk);
f->track[f->total_tracks - 1]->stsc_samples_per_chunk = NULL;
- return -1;
+ return f->error++;
}
- for (i = 0; i < f->track[f->total_tracks - 1]->stsc_entry_count && !f->read_error; i++)
+ for (i = 0; i < f->track[f->total_tracks - 1]->stsc_entry_count && !f->stream->read_error; i++) /* CVE-2017-9255 */
{f->track[f->total_tracks - 1]->stsc_first_chunk[i] = mp4ff_read_int32(f);
f->track[f->total_tracks - 1]->stsc_samples_per_chunk[i] = mp4ff_read_int32(f);
@@ -478,7 +480,7 @@
int32_t i;
if (f->total_tracks == 0)
- return -1;
+ return f->error++;
mp4ff_read_char(f); /* version */
mp4ff_read_int24(f); /* flags */
@@ -487,10 +489,11 @@
f->track[f->total_tracks - 1]->stco_chunk_offset =
(int32_t*)malloc(f->track[f->total_tracks - 1]->stco_entry_count*sizeof(int32_t));
+ /* CVE-2017-9220 */
if (!f->track[f->total_tracks - 1]->stco_chunk_offset)
- return -1;
+ return f->error++;
- for (i = 0; i < f->track[f->total_tracks - 1]->stco_entry_count && !f->read_error; i++)
+ for (i = 0; i < f->track[f->total_tracks - 1]->stco_entry_count && !f->stream->read_error; i++) /* CVE-2017-9256 */
{f->track[f->total_tracks - 1]->stco_chunk_offset[i] = mp4ff_read_int32(f);
}
@@ -504,7 +507,7 @@
mp4ff_track_t * p_track;
if (f->total_tracks == 0)
- return -1;
+ return f->error++;
p_track = f->track[f->total_tracks - 1];
if (p_track->ctts_entry_count) return 0;
@@ -525,7 +528,7 @@
}
else
{- for (i = 0; i < f->track[f->total_tracks - 1]->ctts_entry_count && !f->read_error; i++)
+ for (i = 0; i < f->track[f->total_tracks - 1]->ctts_entry_count && !f->stream->read_error; i++) /* CVE-2017-9257 */
{p_track->ctts_sample_count[i] = mp4ff_read_int32(f);
p_track->ctts_sample_offset[i] = mp4ff_read_int32(f);
@@ -539,8 +542,9 @@
int32_t i;
mp4ff_track_t * p_track;
+ /* CVE-2017-9223 */
if (f->total_tracks == 0)
- return -1;
+ return f->error++;
p_track = f->track[f->total_tracks - 1];
@@ -562,7 +566,7 @@
}
else
{- for (i = 0; i < f->track[f->total_tracks - 1]->stts_entry_count && !f->read_error; i++)
+ for (i = 0; i < f->track[f->total_tracks - 1]->stts_entry_count && !f->stream->read_error; i++) /* CVE-2017-9254 */
{p_track->stts_sample_count[i] = mp4ff_read_int32(f);
p_track->stts_sample_delta[i] = mp4ff_read_int32(f);
@@ -649,8 +653,9 @@
{uint32_t version;
+ /* CVE-2017-9221 */
if (f->total_tracks == 0)
- return -1;
+ return f->error++;
version = mp4ff_read_int32(f);
if (version==1)
@@ -684,7 +689,7 @@
mp4ff_read_char(f); /* version */
mp4ff_read_int24(f); /* flags */
- while (sumsize < (size-(header_size+4)) && !f->read_error)
+ while (sumsize < (size-(header_size+4)))
{subsize = mp4ff_atom_read_header(f, &atom_type, &header_size);
if (subsize <= header_size+4)
@@ -705,44 +710,40 @@
int32_t mp4ff_atom_read(mp4ff_t *f, const int32_t size, const uint8_t atom_type)
{uint64_t dest_position = mp4ff_position(f)+size-8;
- int32_t ret = 0;
if (atom_type == ATOM_STSZ)
{/* sample size box */
- ret = mp4ff_read_stsz(f);
+ mp4ff_read_stsz(f);
} else if (atom_type == ATOM_STTS) {/* time to sample box */
- ret = mp4ff_read_stts(f);
+ mp4ff_read_stts(f);
} else if (atom_type == ATOM_CTTS) {/* composition offset box */
- ret = mp4ff_read_ctts(f);
+ mp4ff_read_ctts(f);
} else if (atom_type == ATOM_STSC) {/* sample to chunk box */
- ret = mp4ff_read_stsc(f);
+ mp4ff_read_stsc(f);
} else if (atom_type == ATOM_STCO) {/* chunk offset box */
- ret = mp4ff_read_stco(f);
+ mp4ff_read_stco(f);
} else if (atom_type == ATOM_STSD) {/* sample description box */
- ret = mp4ff_read_stsd(f);
+ mp4ff_read_stsd(f);
} else if (atom_type == ATOM_MVHD) {/* movie header box */
- ret = mp4ff_read_mvhd(f);
+ mp4ff_read_mvhd(f);
} else if (atom_type == ATOM_MDHD) {/* track header */
- ret = mp4ff_read_mdhd(f);
+ mp4ff_read_mdhd(f);
#ifdef USE_TAGGING
} else if (atom_type == ATOM_META) {/* iTunes Metadata box */
- ret = mp4ff_read_meta(f, size);
+ mp4ff_read_meta(f, size);
#endif
}
- if (f->read_error)
- ret = -1;
-
mp4ff_set_position(f, dest_position);
- return ret;
+ return 0;
}
--- a/common/mp4ff/mp4ff.c
+++ b/common/mp4ff/mp4ff.c
@@ -40,7 +40,9 @@
ff->stream = f;
- if (parse_atoms(ff,0) < 0)
+ parse_atoms(ff,0);
+
+ if (ff->error)
{free(ff);
ff = NULL;
@@ -57,7 +59,9 @@
ff->stream = f;
- if (parse_atoms(ff,1) < 0)
+ parse_atoms(ff,1);
+
+ if (ff->error)
{free(ff);
ff = NULL;
@@ -109,7 +113,7 @@
if (ff) free(ff);
}
-static int32_t mp4ff_track_add(mp4ff_t *f)
+static void mp4ff_track_add(mp4ff_t *f)
{f->total_tracks++;
@@ -116,14 +120,13 @@
if (f->total_tracks > MAX_TRACKS)
{f->total_tracks = 0;
- return -1;
+ f->error++;
+ return;
}
f->track[f->total_tracks - 1] = malloc(sizeof(mp4ff_track_t));
memset(f->track[f->total_tracks - 1], 0, sizeof(mp4ff_track_t));
-
- return 0;
}
static int need_parse_when_meta_only(uint8_t atom_type)
@@ -175,8 +178,7 @@
*/
if (atom_type == ATOM_TRAK)
{- if (mp4ff_track_add(f) < 0)
- return -1;
+ mp4ff_track_add(f);
}
/* parse subatoms */
@@ -185,11 +187,9 @@
mp4ff_set_position(f, mp4ff_position(f)+size-header_size);
} else if (atom_type < SUBATOMIC)
{- if (parse_sub_atoms(f, size-header_size,meta_only) < 0)
- return -1;
+ parse_sub_atoms(f, size-header_size,meta_only);
} else {- if (mp4ff_atom_read(f, (uint32_t)size, atom_type) < 0)
- return -1;
+ mp4ff_atom_read(f, (uint32_t)size, atom_type);
}
}
@@ -204,6 +204,7 @@
uint8_t header_size = 0;
f->file_size = 0;
+ f->stream->read_error = 0;
while ((size = mp4ff_atom_read_header(f, &atom_type, &header_size)) != 0)
{@@ -230,8 +231,7 @@
mp4ff_set_position(f, mp4ff_position(f)+size-header_size);
} else if (atom_type < SUBATOMIC)
{- if (parse_sub_atoms(f, size-header_size,meta_only) < 0)
- return -1;
+ parse_sub_atoms(f, size-header_size,meta_only);
} else {/* skip this atom */
mp4ff_set_position(f, mp4ff_position(f)+size-header_size);
--- a/common/mp4ff/mp4ffint.h
+++ b/common/mp4ff/mp4ffint.h
@@ -144,6 +144,7 @@
uint32_t (*seek)(void *user_data, uint64_t position);
uint32_t (*truncate)(void *user_data);
void *user_data;
+ uint32_t read_error;
} mp4ff_callback_t;
@@ -223,7 +224,7 @@
uint64_t moov_size;
uint8_t last_atom;
uint64_t file_size;
- int32_t read_error;
+ uint32_t error;
/* mvhd */
int32_t time_scale;
--- a/common/mp4ff/mp4meta.c
+++ b/common/mp4ff/mp4meta.c
@@ -240,7 +240,7 @@
uint32_t len = 0;
- while (sumsize < size && !f->read_error)
+ while (sumsize < size && !f->stream->read_error) /* CVE-2017-9222 */
{uint64_t destpos;
subsize = mp4ff_atom_read_header(f, &atom_type, &header_size);
@@ -343,7 +343,7 @@
uint8_t atom_type;
uint8_t header_size = 0;
- while (sumsize < size && !f->read_error)
+ while (sumsize < size)
{subsize = mp4ff_atom_read_header(f, &atom_type, &header_size);
if (subsize == 0)
--- a/common/mp4ff/mp4util.c
+++ b/common/mp4ff/mp4util.c
@@ -38,7 +38,7 @@
result = f->stream->read(f->stream->user_data, data, size);
if (result < size)
- f->read_error++;
+ f->stream->read_error++;
f->current_position += size;