summaryrefslogtreecommitdiff
blob: 06fb7b33758bc36989c966107072f811d001c64a (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
From: Burkhard Plaum <plaum@ipf.uni-stuttgart.de>
Origin: https://sourceforge.net/p/libquicktime/mailman/libquicktime-devel/?viewmonth=201706

Hi,

I committed some (mostly trivial) updates to CVS. The following CVE's
are fixed and/or no longer reproducible:

CVE-2017-9122
CVE-2017-9123
CVE-2017-9124
CVE-2017-9125
CVE-2017-9126
CVE-2017-9127
CVE-2017-9128

I was a bit surprised that one simple sanity check fixes a whole bunch of files.

So it could be, that the problems are still there, but better hidden since the
critical code isn't executed anymore with the sample files I got.

If someone encounters more crashes, feel free to report them.

Burkhard

--- a/include/lqt_funcprotos.h
+++ b/include/lqt_funcprotos.h
@@ -1345,9 +1345,9 @@ int quicktime_write_int32_le(quicktime_t
 int quicktime_write_char32(quicktime_t *file, char *string);
 float quicktime_read_fixed16(quicktime_t *file);
 int quicktime_write_fixed16(quicktime_t *file, float number);
-unsigned long quicktime_read_uint32(quicktime_t *file);
-long quicktime_read_int32(quicktime_t *file);
-long quicktime_read_int32_le(quicktime_t *file);
+uint32_t quicktime_read_uint32(quicktime_t *file);
+int32_t quicktime_read_int32(quicktime_t *file);
+int32_t quicktime_read_int32_le(quicktime_t *file);
 int64_t quicktime_read_int64(quicktime_t *file);
 int64_t quicktime_read_int64_le(quicktime_t *file);
 long quicktime_read_int24(quicktime_t *file);
--- a/src/atom.c
+++ b/src/atom.c
@@ -131,6 +131,9 @@ int quicktime_atom_read_header(quicktime
 			atom->size = read_size64(header);
 			atom->end = atom->start + atom->size;
 		}
+/* Avoid broken files */
+        if(atom->end > file->total_length)
+          result = 1;
 	}
 
 
--- a/src/lqt_quicktime.c
+++ b/src/lqt_quicktime.c
@@ -1788,8 +1788,8 @@ int quicktime_read_info(quicktime_t *fil
                 quicktime_set_position(file, start_position);
                 free(temp);
 
-                quicktime_read_moov(file, &file->moov, &leaf_atom);
-                got_header = 1;
+                if(!quicktime_read_moov(file, &file->moov, &leaf_atom))
+                  got_header = 1;
                 }
               else
                 quicktime_atom_skip(file, &leaf_atom);
--- a/src/moov.c
+++ b/src/moov.c
@@ -218,7 +218,8 @@ int quicktime_read_moov(quicktime_t *fil
 		if(quicktime_atom_is(&leaf_atom, "trak"))
 		{
 			quicktime_trak_t *trak = quicktime_add_trak(file);
-			quicktime_read_trak(file, trak, &leaf_atom);
+			if(quicktime_read_trak(file, trak, &leaf_atom))
+                          return 1;
 		}
 		else
 		if(quicktime_atom_is(&leaf_atom, "udta"))
--- a/src/trak.c
+++ b/src/trak.c
@@ -269,6 +269,14 @@ int quicktime_read_trak(quicktime_t *fil
     else quicktime_atom_skip(file, &leaf_atom);
     } while(quicktime_position(file) < trak_atom->end);
 
+  /* Do some sanity checks to prevent later crashes */
+  if(trak->mdia.minf.is_video || trak->mdia.minf.is_video)
+    {
+    if(!trak->mdia.minf.stbl.stsc.table ||
+       !trak->mdia.minf.stbl.stco.table)
+      return 1;
+    }
+
 #if 1 
   if(trak->mdia.minf.is_video &&
      quicktime_match_32(trak->mdia.minf.stbl.stsd.table[0].format, "drac"))
--- a/src/util.c
+++ b/src/util.c
@@ -647,10 +647,10 @@ int quicktime_write_fixed16(quicktime_t
 	return quicktime_write_data(file, data, 2);
 }
 
-unsigned long quicktime_read_uint32(quicktime_t *file)
+uint32_t quicktime_read_uint32(quicktime_t *file)
 {
-	unsigned long result;
-	unsigned long a, b, c, d;
+	uint32_t result;
+	uint32_t a, b, c, d;
 	uint8_t data[4];
 
 	quicktime_read_data(file, data, 4);
@@ -663,10 +663,10 @@ unsigned long quicktime_read_uint32(quic
 	return result;
 }
 
-long quicktime_read_int32(quicktime_t *file)
+int32_t quicktime_read_int32(quicktime_t *file)
 {
-	unsigned long result;
-	unsigned long a, b, c, d;
+	uint32_t result;
+	uint32_t a, b, c, d;
 	uint8_t data[4];
 
 	quicktime_read_data(file, data, 4);
@@ -676,13 +676,13 @@ long quicktime_read_int32(quicktime_t *f
 	d = data[3];
 
 	result = (a << 24) | (b << 16) | (c << 8) | d;
-	return (long)result;
+	return (int32_t)result;
 }
 
-long quicktime_read_int32_le(quicktime_t *file)
+int32_t quicktime_read_int32_le(quicktime_t *file)
 {
-	unsigned long result;
-	unsigned long a, b, c, d;
+	uint32_t result;
+	uint32_t a, b, c, d;
 	uint8_t data[4];
 
 	quicktime_read_data(file, data, 4);
@@ -692,7 +692,7 @@ long quicktime_read_int32_le(quicktime_t
 	d = data[3];
 
 	result = (d << 24) | (c << 16) | (b << 8) | a;
-	return (long)result;
+	return (int32_t)result;
 }
 
 int64_t quicktime_read_int64(quicktime_t *file)