From bceb03fd2be95097a7b409ea59914f332fb6bc86 Mon Sep 17 00:00:00 2001 From: Aurelien David <aurelien.david@telecom-paristech.fr> Date: Thu, 28 Jun 2018 13:34:08 +0200 Subject: [PATCH] fixed 2 possible heap overflows (inc. #1088) --- include/gpac/internal/isomedia_dev.h | 2 +- src/isomedia/box_code_base.c | 2 +- src/isomedia/box_dump.c | 14 +++++++------- 3 files changed, 9 insertions(+), 9 deletions(-) --- gpac-0.5.2-426-gc5ad4e4+dfsg5.orig/include/gpac/internal/isomedia_dev.h +++ gpac-0.5.2-426-gc5ad4e4+dfsg5/include/gpac/internal/isomedia_dev.h @@ -2988,7 +2988,7 @@ GF_GenericSubtitleSample *gf_isom_parse_ char __ptype[5];\ strcpy(__ptype, gf_4cc_to_str(__parent->type) );\ GF_LOG(GF_LOG_WARNING, GF_LOG_CONTAINER, ("[iso file] extra box %s found in %s, deleting\n", gf_4cc_to_str(__abox->type), __ptype)); \ - gf_isom_box_del(a);\ + gf_isom_box_del(__abox);\ return GF_OK;\ } --- gpac-0.5.2-426-gc5ad4e4+dfsg5.orig/src/isomedia/box_code_base.c +++ gpac-0.5.2-426-gc5ad4e4+dfsg5/src/isomedia/box_code_base.c @@ -619,7 +619,7 @@ GF_Err urn_Read(GF_Box *s, GF_BitStream //then get the break i = 0; - while ( (tmpName[i] != 0) && (i < to_read) ) { + while ( (i < to_read) && (tmpName[i] != 0) ) { i++; } //check the data is consistent --- gpac-0.5.2-426-gc5ad4e4+dfsg5.orig/src/isomedia/box_dump.c +++ gpac-0.5.2-426-gc5ad4e4+dfsg5/src/isomedia/box_dump.c @@ -988,7 +988,7 @@ GF_Err dpin_dump(GF_Box *a, FILE * trace GF_Err hdlr_dump(GF_Box *a, FILE * trace) { GF_HandlerBox *p = (GF_HandlerBox *)a; - if (p->nameUTF8 && (u32) p->nameUTF8[0] == strlen(p->nameUTF8+1)) { + if (p->nameUTF8 && (u32) p->nameUTF8[0] == strlen(p->nameUTF8)-1) { fprintf(trace, "<HandlerBox Type=\"%s\" Name=\"%s\" ", gf_4cc_to_str(p->handlerType), p->nameUTF8+1); } else { fprintf(trace, "<HandlerBox Type=\"%s\" Name=\"%s\" ", gf_4cc_to_str(p->handlerType), p->nameUTF8);