diff options
author | Andreas Sturmlechner <asturm@gentoo.org> | 2018-09-18 16:54:25 +0200 |
---|---|---|
committer | Andreas Sturmlechner <asturm@gentoo.org> | 2018-09-18 17:07:45 +0200 |
commit | c8d9d005d305c0d4a8232649e3ec93535c1bacca (patch) | |
tree | 124dbc2b9d8c3ec2256e9092b2aa543312e3ce68 /media-libs | |
parent | media-libs/libquicktime: EAPI-7 bump (diff) | |
download | gentoo-c8d9d005d305c0d4a8232649e3ec93535c1bacca.tar.gz gentoo-c8d9d005d305c0d4a8232649e3ec93535c1bacca.tar.bz2 gentoo-c8d9d005d305c0d4a8232649e3ec93535c1bacca.zip |
media-libs/libquicktime: Fix CVE-2017-9122..9128
Bug: https://bugs.gentoo.org/634806
Package-Manager: Portage-2.3.49, Repoman-2.3.10
Diffstat (limited to 'media-libs')
-rw-r--r-- | media-libs/libquicktime/files/libquicktime-1.2.4-CVE-2017-9122_et_al.patch | 151 | ||||
-rw-r--r-- | media-libs/libquicktime/libquicktime-1.2.4-r3.ebuild | 1 |
2 files changed, 152 insertions, 0 deletions
diff --git a/media-libs/libquicktime/files/libquicktime-1.2.4-CVE-2017-9122_et_al.patch b/media-libs/libquicktime/files/libquicktime-1.2.4-CVE-2017-9122_et_al.patch new file mode 100644 index 000000000000..06fb7b33758b --- /dev/null +++ b/media-libs/libquicktime/files/libquicktime-1.2.4-CVE-2017-9122_et_al.patch @@ -0,0 +1,151 @@ +From: Burkhard Plaum <plaum@ipf.uni-stuttgart.de> +Origin: https://sourceforge.net/p/libquicktime/mailman/libquicktime-devel/?viewmonth=201706 + +Hi, + +I committed some (mostly trivial) updates to CVS. The following CVE's +are fixed and/or no longer reproducible: + +CVE-2017-9122 +CVE-2017-9123 +CVE-2017-9124 +CVE-2017-9125 +CVE-2017-9126 +CVE-2017-9127 +CVE-2017-9128 + +I was a bit surprised that one simple sanity check fixes a whole bunch of files. + +So it could be, that the problems are still there, but better hidden since the +critical code isn't executed anymore with the sample files I got. + +If someone encounters more crashes, feel free to report them. + +Burkhard + +--- a/include/lqt_funcprotos.h ++++ b/include/lqt_funcprotos.h +@@ -1345,9 +1345,9 @@ int quicktime_write_int32_le(quicktime_t + int quicktime_write_char32(quicktime_t *file, char *string); + float quicktime_read_fixed16(quicktime_t *file); + int quicktime_write_fixed16(quicktime_t *file, float number); +-unsigned long quicktime_read_uint32(quicktime_t *file); +-long quicktime_read_int32(quicktime_t *file); +-long quicktime_read_int32_le(quicktime_t *file); ++uint32_t quicktime_read_uint32(quicktime_t *file); ++int32_t quicktime_read_int32(quicktime_t *file); ++int32_t quicktime_read_int32_le(quicktime_t *file); + int64_t quicktime_read_int64(quicktime_t *file); + int64_t quicktime_read_int64_le(quicktime_t *file); + long quicktime_read_int24(quicktime_t *file); +--- a/src/atom.c ++++ b/src/atom.c +@@ -131,6 +131,9 @@ int quicktime_atom_read_header(quicktime + atom->size = read_size64(header); + atom->end = atom->start + atom->size; + } ++/* Avoid broken files */ ++ if(atom->end > file->total_length) ++ result = 1; + } + + +--- a/src/lqt_quicktime.c ++++ b/src/lqt_quicktime.c +@@ -1788,8 +1788,8 @@ int quicktime_read_info(quicktime_t *fil + quicktime_set_position(file, start_position); + free(temp); + +- quicktime_read_moov(file, &file->moov, &leaf_atom); +- got_header = 1; ++ if(!quicktime_read_moov(file, &file->moov, &leaf_atom)) ++ got_header = 1; + } + else + quicktime_atom_skip(file, &leaf_atom); +--- a/src/moov.c ++++ b/src/moov.c +@@ -218,7 +218,8 @@ int quicktime_read_moov(quicktime_t *fil + if(quicktime_atom_is(&leaf_atom, "trak")) + { + quicktime_trak_t *trak = quicktime_add_trak(file); +- quicktime_read_trak(file, trak, &leaf_atom); ++ if(quicktime_read_trak(file, trak, &leaf_atom)) ++ return 1; + } + else + if(quicktime_atom_is(&leaf_atom, "udta")) +--- a/src/trak.c ++++ b/src/trak.c +@@ -269,6 +269,14 @@ int quicktime_read_trak(quicktime_t *fil + else quicktime_atom_skip(file, &leaf_atom); + } while(quicktime_position(file) < trak_atom->end); + ++ /* Do some sanity checks to prevent later crashes */ ++ if(trak->mdia.minf.is_video || trak->mdia.minf.is_video) ++ { ++ if(!trak->mdia.minf.stbl.stsc.table || ++ !trak->mdia.minf.stbl.stco.table) ++ return 1; ++ } ++ + #if 1 + if(trak->mdia.minf.is_video && + quicktime_match_32(trak->mdia.minf.stbl.stsd.table[0].format, "drac")) +--- a/src/util.c ++++ b/src/util.c +@@ -647,10 +647,10 @@ int quicktime_write_fixed16(quicktime_t + return quicktime_write_data(file, data, 2); + } + +-unsigned long quicktime_read_uint32(quicktime_t *file) ++uint32_t quicktime_read_uint32(quicktime_t *file) + { +- unsigned long result; +- unsigned long a, b, c, d; ++ uint32_t result; ++ uint32_t a, b, c, d; + uint8_t data[4]; + + quicktime_read_data(file, data, 4); +@@ -663,10 +663,10 @@ unsigned long quicktime_read_uint32(quic + return result; + } + +-long quicktime_read_int32(quicktime_t *file) ++int32_t quicktime_read_int32(quicktime_t *file) + { +- unsigned long result; +- unsigned long a, b, c, d; ++ uint32_t result; ++ uint32_t a, b, c, d; + uint8_t data[4]; + + quicktime_read_data(file, data, 4); +@@ -676,13 +676,13 @@ long quicktime_read_int32(quicktime_t *f + d = data[3]; + + result = (a << 24) | (b << 16) | (c << 8) | d; +- return (long)result; ++ return (int32_t)result; + } + +-long quicktime_read_int32_le(quicktime_t *file) ++int32_t quicktime_read_int32_le(quicktime_t *file) + { +- unsigned long result; +- unsigned long a, b, c, d; ++ uint32_t result; ++ uint32_t a, b, c, d; + uint8_t data[4]; + + quicktime_read_data(file, data, 4); +@@ -692,7 +692,7 @@ long quicktime_read_int32_le(quicktime_t + d = data[3]; + + result = (d << 24) | (c << 16) | (b << 8) | a; +- return (long)result; ++ return (int32_t)result; + } + + int64_t quicktime_read_int64(quicktime_t *file) diff --git a/media-libs/libquicktime/libquicktime-1.2.4-r3.ebuild b/media-libs/libquicktime/libquicktime-1.2.4-r3.ebuild index 69f1b64818eb..e4c2bea89205 100644 --- a/media-libs/libquicktime/libquicktime-1.2.4-r3.ebuild +++ b/media-libs/libquicktime/libquicktime-1.2.4-r3.ebuild @@ -61,6 +61,7 @@ PATCHES=( "${FILESDIR}"/${P}-ffmpeg2.patch "${FILESDIR}"/${P}-ffmpeg29.patch "${FILESDIR}"/${P}-CVE-2016-2399.patch + "${FILESDIR}"/${P}-CVE-2017-9122_et_al.patch ) src_prepare() { |