Sophie: gpac-0.6.1-4.1.mga6.tainted src

gpac-0.6.1-4.1.mga6.tainted.src.rpm

From 1c449a34fe0b50aaffb881bfb9d7c5ab0bb18cdd Mon Sep 17 00:00:00 2001
From: Aurelien David <aurelien.david@telecom-paristech.fr>
Date: Fri, 11 Jan 2019 14:05:16 +0100
Subject: [PATCH] add some boundary checks on gf_text_get_utf8_line (#1188)

---
 applications/mp4client/main.c |  2 +-
 src/media_tools/text_import.c | 77 +++++++++++++++++++++++------------
 2 files changed, 53 insertions(+), 26 deletions(-)

diff --git a/applications/mp4client/main.c b/applications/mp4client/main.c
index 46404ff98..df01947f3 100644
--- a/applications/mp4client/main.c
+++ b/applications/mp4client/main.c
@@ -1715,7 +1715,7 @@ int mp4client_main(int argc, char **argv)
 					e = gf_dm_sess_process(sess);
 					if (!e) {
 						strncpy(the_url, gf_dm_sess_get_cache_name(sess), sizeof(the_url) - 1);
-						the_url[sizeof(the_cfg) - 1] = 0;
+						the_url[sizeof(the_url) - 1] = 0;
 					}
 					gf_dm_sess_del(sess);
 				}
diff --git a/src/media_tools/text_import.c b/src/media_tools/text_import.c
index 18f10f33d..af9200078 100644
--- a/src/media_tools/text_import.c
+++ b/src/media_tools/text_import.c
@@ -205,49 +205,76 @@ char *gf_text_get_utf8_line(char *szLine, u32 lineSize, FILE *txt_in, s32 unicod
 	if (unicode_type<=1) {
 		j=0;
 		len = (u32) strlen(szLine);
-		for (i=0; i<len; i++) {
+		for (i=0; i<len && j < sizeof(szLineConv) - 1; i++, j++) {
+
 			if (!unicode_type && (szLine[i] & 0x80)) {
 				/*non UTF8 (likely some win-CP)*/
 				if ((szLine[i+1] & 0xc0) != 0x80) {
-					szLineConv[j] = 0xc0 | ( (szLine[i] >> 6) & 0x3 );
-					j++;
-					szLine[i] &= 0xbf;
+					if (j + 1 < sizeof(szLineConv) - 1) {
+						szLineConv[j] = 0xc0 | ((szLine[i] >> 6) & 0x3);
+						j++;
+						szLine[i] &= 0xbf;
+					}
+					else
+						break;
 				}
 				/*UTF8 2 bytes char*/
 				else if ( (szLine[i] & 0xe0) == 0xc0) {
-					szLineConv[j] = szLine[i];
-					i++;
-					j++;
+
+					// don't cut multibyte in the middle in there is no more room in dest
+					if (j + 1 < sizeof(szLineConv) - 1 && i + 1 < len) {
+						szLineConv[j] = szLine[i];
+						i++;
+						j++;
+					}
+					else {
+						break;
+					}
 				}
 				/*UTF8 3 bytes char*/
 				else if ( (szLine[i] & 0xf0) == 0xe0) {
-					szLineConv[j] = szLine[i];
-					i++;
-					j++;
-					szLineConv[j] = szLine[i];
-					i++;
-					j++;
+					if (j + 2 < sizeof(szLineConv) - 1 && i + 2 < len) {
+						szLineConv[j] = szLine[i];
+						i++;
+						j++;
+						szLineConv[j] = szLine[i];
+						i++;
+						j++;
+					}
+					else {
+						break;
+					}
 				}
 				/*UTF8 4 bytes char*/
 				else if ( (szLine[i] & 0xf8) == 0xf0) {
-					szLineConv[j] = szLine[i];
-					i++;
-					j++;
-					szLineConv[j] = szLine[i];
-					i++;
-					j++;
-					szLineConv[j] = szLine[i];
-					i++;
-					j++;
+					if (j + 3 < sizeof(szLineConv) - 1 && i + 3 < len) {
+						szLineConv[j] = szLine[i];
+						i++;
+						j++;
+						szLineConv[j] = szLine[i];
+						i++;
+						j++;
+						szLineConv[j] = szLine[i];
+						i++;
+						j++;
+					}
+					else {
+						break;
+					}
 				} else {
 					i+=1;
 					continue;
 				}
 			}
-			szLineConv[j] = szLine[i];
-			j++;
+			if (j < sizeof(szLineConv)-1 && i<len)
+				szLineConv[j] = szLine[i];
+
 		}
-		szLineConv[j] = 0;
+		if (j >= sizeof(szLineConv))
+			szLineConv[sizeof(szLineConv) - 1] = 0;
+		else
+			szLineConv[j] = 0;
+
 		strcpy(szLine, szLineConv);
 		return sOK;
 	}