From bceb03fd2be95097a7b409ea59914f332fb6bc86 Mon Sep 17 00:00:00 2001
From: Aurelien David <aurelien.david@telecom-paristech.fr>
Date: Thu, 28 Jun 2018 13:34:08 +0200
Subject: [PATCH] fixed 2 possible heap overflows (inc. #1088)

---
 include/gpac/internal/isomedia_dev.h |  2 +-
 src/isomedia/box_code_base.c         |  2 +-
 src/isomedia/box_dump.c              | 14 +++++++-------
 3 files changed, 9 insertions(+), 9 deletions(-)

--- gpac-0.5.2-426-gc5ad4e4+dfsg5.orig/include/gpac/internal/isomedia_dev.h
+++ gpac-0.5.2-426-gc5ad4e4+dfsg5/include/gpac/internal/isomedia_dev.h
@@ -2988,7 +2988,7 @@ GF_GenericSubtitleSample *gf_isom_parse_
 		char __ptype[5];\
 		strcpy(__ptype, gf_4cc_to_str(__parent->type) );\
 		GF_LOG(GF_LOG_WARNING, GF_LOG_CONTAINER, ("[iso file] extra box %s found in %s, deleting\n", gf_4cc_to_str(__abox->type), __ptype)); \
-		gf_isom_box_del(a);\
+		gf_isom_box_del(__abox);\
 		return GF_OK;\
 	}
 
--- gpac-0.5.2-426-gc5ad4e4+dfsg5.orig/src/isomedia/box_code_base.c
+++ gpac-0.5.2-426-gc5ad4e4+dfsg5/src/isomedia/box_code_base.c
@@ -619,7 +619,7 @@ GF_Err urn_Read(GF_Box *s, GF_BitStream
 
 	//then get the break
 	i = 0;
-	while ( (tmpName[i] != 0) && (i < to_read) ) {
+	while ( (i < to_read) && (tmpName[i] != 0) ) {
 		i++;
 	}
 	//check the data is consistent
--- gpac-0.5.2-426-gc5ad4e4+dfsg5.orig/src/isomedia/box_dump.c
+++ gpac-0.5.2-426-gc5ad4e4+dfsg5/src/isomedia/box_dump.c
@@ -988,7 +988,7 @@ GF_Err dpin_dump(GF_Box *a, FILE * trace
 GF_Err hdlr_dump(GF_Box *a, FILE * trace)
 {
 	GF_HandlerBox *p = (GF_HandlerBox *)a;
-	if (p->nameUTF8 && (u32) p->nameUTF8[0] == strlen(p->nameUTF8+1)) {
+	if (p->nameUTF8 && (u32) p->nameUTF8[0] == strlen(p->nameUTF8)-1) {
 		fprintf(trace, "<HandlerBox Type=\"%s\" Name=\"%s\" ", gf_4cc_to_str(p->handlerType), p->nameUTF8+1);
 	} else {
 		fprintf(trace, "<HandlerBox Type=\"%s\" Name=\"%s\" ", gf_4cc_to_str(p->handlerType), p->nameUTF8);