Version in base suite: 1.0.1+dfsg1-4+deb11u1 Base version: gpac_1.0.1+dfsg1-4+deb11u1 Target version: gpac_1.0.1+dfsg1-4+deb11u2 Base file: /srv/ftp-master.debian.org/ftp/pool/main/g/gpac/gpac_1.0.1+dfsg1-4+deb11u1.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/g/gpac/gpac_1.0.1+dfsg1-4+deb11u2.dsc changelog | 6 patches/CVE-2020-35980.patch | 26 ++ patches/CVE-2021-33361.patch | 71 ++++++ patches/CVE-2021-33363.patch | 31 +++ patches/CVE-2021-33364.patch | 21 ++ patches/CVE-2021-33365.patch | 35 +++ patches/CVE-2021-33366.patch | 28 ++ patches/CVE-2021-36412.patch | 32 +++ patches/CVE-2021-36414.patch | 43 ++++ patches/CVE-2021-36417.patch | 157 +++++++++++++++ patches/CVE-2021-4043.patch | 32 +++ patches/CVE-2021-40559.patch | 93 +++++++++ patches/CVE-2021-40562.patch | 28 ++ patches/CVE-2021-40563.patch | 26 ++ patches/CVE-2021-40564.patch | 22 ++ patches/CVE-2021-40565.patch | 26 ++ patches/CVE-2021-40566.patch | 76 +++++++ patches/CVE-2021-40567.patch | 21 ++ patches/CVE-2021-40568.patch | 22 ++ patches/CVE-2021-40569.patch | 36 +++ patches/CVE-2021-40570.patch | 21 ++ patches/CVE-2021-40571.patch | 24 ++ patches/CVE-2021-40572.patch | 29 ++ patches/CVE-2021-40574.patch | 43 ++++ patches/CVE-2021-40575.patch | 29 ++ patches/CVE-2021-40576_40606_40609.patch | 23 ++ patches/CVE-2021-40592.patch | 46 ++++ patches/CVE-2021-40607.patch | 28 ++ patches/CVE-2021-40608.patch | 55 +++++ patches/CVE-2021-40944.patch | 40 +++ patches/CVE-2021-41456.patch | 36 +++ patches/CVE-2021-41457.patch | 193 ++++++++++++++++++ patches/CVE-2021-41459.patch | 33 +++ patches/CVE-2021-45262.patch | 67 ++++++ patches/CVE-2021-45263.patch | 25 ++ patches/CVE-2021-45267.patch | 27 ++ patches/CVE-2021-45291.patch | 24 ++ patches/CVE-2021-45292.patch | 37 +++ patches/CVE-2021-45297.patch | 26 ++ patches/CVE-2021-45760.patch | 27 ++ patches/CVE-2021-45762.patch | 64 ++++++ patches/CVE-2021-45763.patch | 111 ++++++++++ patches/CVE-2021-45764.patch | 24 ++ patches/CVE-2021-45767.patch | 25 ++ patches/CVE-2021-45831.patch | 34 +++ patches/CVE-2021-46038to46046_46049_46051.patch | 34 +++ patches/CVE-2021-46047.patch | 33 +++ patches/CVE-2022-1035.patch | 26 ++ patches/CVE-2022-1222.patch | 46 ++++ patches/CVE-2022-1441.patch | 41 ++++ patches/CVE-2022-1795.patch | 40 +++ patches/CVE-2022-2454.patch | 25 ++ patches/CVE-2022-24574.patch | 99 +++++++++ patches/CVE-2022-24577.patch | 89 ++++++++ patches/CVE-2022-24578.patch | 32 +++ patches/CVE-2022-26967_partial.patch | 244 ++++++++++++++++++++++++ patches/CVE-2022-27145.patch | 32 +++ patches/CVE-2022-27147.patch | 71 ++++++ patches/CVE-2022-29537.patch | 29 ++ patches/CVE-2022-3222.patch | 113 +++++++++++ patches/CVE-2022-36190_36191.patch | 93 +++++++++ patches/CVE-2022-38530.patch | 58 +++++ patches/CVE-2022-3957.patch | 91 ++++++++ patches/CVE-2022-4202.patch | 78 +++++++ patches/CVE-2022-43255.patch | 28 ++ patches/CVE-2022-45202.patch | 71 ++++++ patches/CVE-2022-45283.patch | 40 +++ patches/CVE-2022-45343.patch | 81 +++++++ patches/CVE-2022-47086.patch | 44 ++++ patches/CVE-2022-47091.patch | 43 ++++ patches/CVE-2022-47094.patch | 25 ++ patches/CVE-2022-47095.patch | 45 ++++ patches/CVE-2022-47657.patch | 28 ++ patches/CVE-2022-47659.patch | 45 ++++ patches/CVE-2022-47660.patch | 71 ++++++ patches/CVE-2022-47661.patch | 27 ++ patches/CVE-2022-47662.patch | 199 +++++++++++++++++++ patches/CVE-2022-47663.patch | 50 ++++ patches/CVE-2023-0770.patch | 28 ++ patches/CVE-2023-0818.patch | 65 ++++++ patches/CVE-2023-0819.patch | 28 ++ patches/CVE-2023-0866.patch | 35 +++ patches/CVE-2023-1448.patch | 26 ++ patches/CVE-2023-1449.patch | 41 ++++ patches/CVE-2023-1452.patch | 27 ++ patches/CVE-2023-1654.patch | 63 ++++++ patches/CVE-2023-23143.patch | 34 +++ patches/CVE-2023-23144.patch | 34 +++ patches/CVE-2023-23145.patch | 24 ++ patches/CVE-2023-2837.patch | 51 +++++ patches/CVE-2023-2838.patch | 26 ++ patches/CVE-2023-2839.patch | 31 +++ patches/CVE-2023-2840.patch | 26 ++ patches/series | 93 +++++++++ patches/talos-2021-1297-2.patch | 13 + 95 files changed, 4639 insertions(+) diff -Nru gpac-1.0.1+dfsg1/debian/changelog gpac-1.0.1+dfsg1/debian/changelog --- gpac-1.0.1+dfsg1/debian/changelog 2021-08-19 22:03:29.000000000 +0000 +++ gpac-1.0.1+dfsg1/debian/changelog 2023-05-23 11:53:25.000000000 +0000 @@ -1,3 +1,9 @@ +gpac (1.0.1+dfsg1-4+deb11u2) bullseye-security; urgency=medium + + * Fix multiple security issues + + -- Aron Xu Tue, 23 May 2023 19:53:25 +0800 + gpac (1.0.1+dfsg1-4+deb11u1) bullseye-security; urgency=medium * Fix multiple security issues diff -Nru gpac-1.0.1+dfsg1/debian/patches/CVE-2020-35980.patch gpac-1.0.1+dfsg1/debian/patches/CVE-2020-35980.patch --- gpac-1.0.1+dfsg1/debian/patches/CVE-2020-35980.patch 1970-01-01 00:00:00.000000000 +0000 +++ gpac-1.0.1+dfsg1/debian/patches/CVE-2020-35980.patch 2023-04-26 17:03:39.000000000 +0000 @@ -0,0 +1,26 @@ +From 5aba27604d957e960d8069d85ccaf868f8a7b07a Mon Sep 17 00:00:00 2001 +From: jeanlf +Date: Mon, 4 Jan 2021 11:18:27 +0100 +Subject: [PATCH] fixed #1661 + +--- + src/isomedia/isom_store.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/src/isomedia/isom_store.c b/src/isomedia/isom_store.c +index ee2b2cfaf..b3aea7b69 100644 +--- a/src/isomedia/isom_store.c ++++ b/src/isomedia/isom_store.c +@@ -102,6 +102,9 @@ void CleanWriters(GF_List *writers) + { + while (gf_list_count(writers)) { + TrackWriter *writer = (TrackWriter*)gf_list_get(writers, 0); ++ //in case we have an error in the middle of file write, remove our created stco and stsc from sample table ++ gf_list_del_item(writer->stbl->child_boxes, writer->stco); ++ gf_list_del_item(writer->stbl->child_boxes, writer->stsc); + gf_isom_box_del(writer->stco); + gf_isom_box_del((GF_Box *)writer->stsc); + gf_free(writer); +-- +2.39.2 + diff -Nru gpac-1.0.1+dfsg1/debian/patches/CVE-2021-33361.patch gpac-1.0.1+dfsg1/debian/patches/CVE-2021-33361.patch --- gpac-1.0.1+dfsg1/debian/patches/CVE-2021-33361.patch 1970-01-01 00:00:00.000000000 +0000 +++ gpac-1.0.1+dfsg1/debian/patches/CVE-2021-33361.patch 2023-05-23 08:07:38.000000000 +0000 @@ -0,0 +1,71 @@ +From a51f951b878c2b73c1d8e2f1518c7cdc5fb82c3f Mon Sep 17 00:00:00 2001 +From: jeanlf +Date: Mon, 10 May 2021 11:14:03 +0200 +Subject: [PATCH] fixed #1782 (fuzz) + +--- + applications/mp4box/main.c | 8 ++++++++ + src/isomedia/box_code_adobe.c | 7 +++---- + 2 files changed, 11 insertions(+), 4 deletions(-) + +diff --git a/applications/mp4box/main.c b/applications/mp4box/main.c +index e0215f77e..db6c06779 100644 +--- a/applications/mp4box/main.c ++++ b/applications/mp4box/main.c +@@ -5439,6 +5439,14 @@ static u32 mp4box_cleanup(u32 ret_code) { + } + if (logfile) gf_fclose(logfile); + gf_sys_close(); ++ ++#ifdef GPAC_MEMORY_TRACKING ++ if (mem_track && (gf_memory_size() || gf_file_handles_count() )) { ++ gf_log_set_tool_level(GF_LOG_MEMORY, GF_LOG_INFO); ++ gf_memory_print(); ++ } ++#endif ++ + return ret_code; + } + +diff --git a/src/isomedia/box_code_adobe.c b/src/isomedia/box_code_adobe.c +index fe4619191..bb80f3ce8 100644 +--- a/src/isomedia/box_code_adobe.c ++++ b/src/isomedia/box_code_adobe.c +@@ -408,6 +408,7 @@ GF_Err afra_box_read(GF_Box *s, GF_BitStream *bs) + for (i=0; ientry_count; i++) { + GF_AfraEntry *ae = gf_malloc(sizeof(GF_AfraEntry)); + if (!ae) return GF_OUT_OF_MEM; ++ gf_list_insert(ptr->local_access_entries, ae, i); + + ISOM_DECREASE_SIZE(ptr, 8) + ae->time = gf_bs_read_u64(bs); +@@ -418,8 +419,6 @@ GF_Err afra_box_read(GF_Box *s, GF_BitStream *bs) + ISOM_DECREASE_SIZE(ptr, 4) + ae->offset = gf_bs_read_u32(bs); + } +- +- gf_list_insert(ptr->local_access_entries, ae, i); + } + + if (ptr->global_entries) { +@@ -428,6 +427,8 @@ GF_Err afra_box_read(GF_Box *s, GF_BitStream *bs) + for (i=0; iglobal_entry_count; i++) { + GF_GlobalAfraEntry *ae = gf_malloc(sizeof(GF_GlobalAfraEntry)); + if (!ae) return GF_OUT_OF_MEM; ++ gf_list_insert(ptr->global_access_entries, ae, i); ++ + ISOM_DECREASE_SIZE(ptr, 8) + ae->time = gf_bs_read_u64(bs); + if (ptr->long_ids) { +@@ -448,8 +449,6 @@ GF_Err afra_box_read(GF_Box *s, GF_BitStream *bs) + ae->afra_offset = gf_bs_read_u32(bs); + ae->offset_from_afra = gf_bs_read_u32(bs); + } +- +- gf_list_insert(ptr->global_access_entries, ae, i); + } + } + +-- +2.39.2 + diff -Nru gpac-1.0.1+dfsg1/debian/patches/CVE-2021-33363.patch gpac-1.0.1+dfsg1/debian/patches/CVE-2021-33363.patch --- gpac-1.0.1+dfsg1/debian/patches/CVE-2021-33363.patch 1970-01-01 00:00:00.000000000 +0000 +++ gpac-1.0.1+dfsg1/debian/patches/CVE-2021-33363.patch 2023-05-23 08:07:38.000000000 +0000 @@ -0,0 +1,31 @@ +From ec64c7b8966d7e4642d12debb888be5acf18efb9 Mon Sep 17 00:00:00 2001 +From: jeanlf +Date: Mon, 10 May 2021 11:31:19 +0200 +Subject: [PATCH] fixed #1786 (fuzz) + +--- + src/isomedia/box_code_meta.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/src/isomedia/box_code_meta.c b/src/isomedia/box_code_meta.c +index c8435b9f8..e3f0556c0 100644 +--- a/src/isomedia/box_code_meta.c ++++ b/src/isomedia/box_code_meta.c +@@ -566,10 +566,13 @@ GF_Err infe_box_read(GF_Box *s, GF_BitStream *bs) + ptr->content_type = (char*)gf_malloc(sizeof(char)*string_len); + if (!ptr->content_type) return GF_OUT_OF_MEM; + memcpy(ptr->content_type, buf+string_start, string_len); +- } else { ++ } else if (!ptr->content_encoding) { + ptr->content_encoding = (char*)gf_malloc(sizeof(char)*string_len); + if (!ptr->content_encoding) return GF_OUT_OF_MEM; + memcpy(ptr->content_encoding, buf+string_start, string_len); ++ } else { ++ //we could throw an error but we silently accept this infe ++ break; + } + string_start += string_len; + string_len = 0; +-- +2.39.2 + diff -Nru gpac-1.0.1+dfsg1/debian/patches/CVE-2021-33364.patch gpac-1.0.1+dfsg1/debian/patches/CVE-2021-33364.patch --- gpac-1.0.1+dfsg1/debian/patches/CVE-2021-33364.patch 1970-01-01 00:00:00.000000000 +0000 +++ gpac-1.0.1+dfsg1/debian/patches/CVE-2021-33364.patch 2023-05-23 08:07:38.000000000 +0000 @@ -0,0 +1,21 @@ +From fe5155cf047252d1c4cb91602048bfa682af0ea7 Mon Sep 17 00:00:00 2001 +From: jeanlf +Date: Mon, 10 May 2021 11:18:59 +0200 +Subject: [PATCH] fixed #1783 (fuzz) + +--- + src/isomedia/isom_intern.c | 1 + + 1 file changed, 1 insertion(+) + +Index: gpac-1.0.1+dfsg1/src/isomedia/isom_intern.c +=================================================================== +--- gpac-1.0.1+dfsg1.orig/src/isomedia/isom_intern.c ++++ gpac-1.0.1+dfsg1/src/isomedia/isom_intern.c +@@ -465,6 +465,7 @@ GF_Err gf_isom_parse_movie_boxes(GF_ISOF + gf_isom_box_del(a); + return GF_OK; + } ++ gf_isom_box_del(a); + } + ((GF_MovieFragmentBox *)a)->mov = mov; + diff -Nru gpac-1.0.1+dfsg1/debian/patches/CVE-2021-33365.patch gpac-1.0.1+dfsg1/debian/patches/CVE-2021-33365.patch --- gpac-1.0.1+dfsg1/debian/patches/CVE-2021-33365.patch 1970-01-01 00:00:00.000000000 +0000 +++ gpac-1.0.1+dfsg1/debian/patches/CVE-2021-33365.patch 2023-05-23 08:07:38.000000000 +0000 @@ -0,0 +1,35 @@ +From 984787de3d414a5f7d43d0b4584d9469dff2a5a5 Mon Sep 17 00:00:00 2001 +From: jeanlf +Date: Mon, 10 May 2021 11:24:17 +0200 +Subject: [PATCH] fixed #1784 (fuzz) + +--- + src/isomedia/isom_read.c | 12 +++++++++++- + 1 file changed, 11 insertions(+), 1 deletion(-) + +diff --git a/src/isomedia/isom_read.c b/src/isomedia/isom_read.c +index 2f4feb95a..58e631f91 100644 +--- a/src/isomedia/isom_read.c ++++ b/src/isomedia/isom_read.c +@@ -694,7 +694,17 @@ GF_Descriptor *gf_isom_get_root_od(GF_ISOFile *movie) + + //duplicate our descriptor + movie->LastError = gf_odf_desc_copy((GF_Descriptor *) movie->moov->iods->descriptor, &desc); +- if (movie->LastError) return NULL; ++ if (movie->LastError) { ++ if (od) { ++ gf_list_del(od->ESDescriptors); ++ gf_free(od); ++ } ++ if (iod) { ++ gf_list_del(iod->ESDescriptors); ++ gf_free(iod); ++ } ++ return NULL; ++ } + + if (!useIOD) { + isom_od = (GF_IsomObjectDescriptor *)desc; +-- +2.39.2 + diff -Nru gpac-1.0.1+dfsg1/debian/patches/CVE-2021-33366.patch gpac-1.0.1+dfsg1/debian/patches/CVE-2021-33366.patch --- gpac-1.0.1+dfsg1/debian/patches/CVE-2021-33366.patch 1970-01-01 00:00:00.000000000 +0000 +++ gpac-1.0.1+dfsg1/debian/patches/CVE-2021-33366.patch 2023-05-23 08:07:38.000000000 +0000 @@ -0,0 +1,28 @@ +From 0a85029d694f992f3631e2f249e4999daee15cbf Mon Sep 17 00:00:00 2001 +From: jeanlf +Date: Mon, 10 May 2021 11:26:57 +0200 +Subject: [PATCH] fixed #1785 (fuzz) + +--- + src/isomedia/avc_ext.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/src/isomedia/avc_ext.c b/src/isomedia/avc_ext.c +index a3674510b..0e7d96a96 100644 +--- a/src/isomedia/avc_ext.c ++++ b/src/isomedia/avc_ext.c +@@ -3373,8 +3373,10 @@ GF_Err gf_isom_oinf_read_entry(void *entry, GF_BitStream *bs) + op->output_layer_set_idx = gf_bs_read_u16(bs); + op->max_temporal_id = gf_bs_read_u8(bs); + op->layer_count = gf_bs_read_u8(bs); +- if (op->layer_count > GF_ARRAY_LENGTH(op->layers_info)) ++ if (op->layer_count > GF_ARRAY_LENGTH(op->layers_info)) { ++ gf_free(op); + return GF_NON_COMPLIANT_BITSTREAM; ++ } + for (j = 0; j < op->layer_count; j++) { + op->layers_info[j].ptl_idx = gf_bs_read_u8(bs); + op->layers_info[j].layer_id = gf_bs_read_int(bs, 6); +-- +2.39.2 + diff -Nru gpac-1.0.1+dfsg1/debian/patches/CVE-2021-36412.patch gpac-1.0.1+dfsg1/debian/patches/CVE-2021-36412.patch --- gpac-1.0.1+dfsg1/debian/patches/CVE-2021-36412.patch 1970-01-01 00:00:00.000000000 +0000 +++ gpac-1.0.1+dfsg1/debian/patches/CVE-2021-36412.patch 2023-05-17 09:57:08.000000000 +0000 @@ -0,0 +1,32 @@ +From 828188475084db87cebc34208b6bd2509709845e Mon Sep 17 00:00:00 2001 +From: jeanlf +Date: Mon, 5 Jul 2021 16:41:49 +0200 +Subject: [PATCH] fixed #1838 + +--- + src/ietf/rtp_pck_mpeg12.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/src/ietf/rtp_pck_mpeg12.c b/src/ietf/rtp_pck_mpeg12.c +index c108522b9..7f2dffa83 100644 +--- a/src/ietf/rtp_pck_mpeg12.c ++++ b/src/ietf/rtp_pck_mpeg12.c +@@ -123,6 +123,7 @@ GF_Err gp_rtp_builder_do_mpeg12_video(GP_RTPPacketizer *builder, u8 *data, u32 d + + /*no flsuh (no aggregation)*/ + if (!data) return GF_OK; ++ if (data_size<4) return GF_NON_COMPLIANT_BITSTREAM; + + offset = 0; + have_seq = GF_FALSE; +@@ -152,6 +153,7 @@ GF_Err gp_rtp_builder_do_mpeg12_video(GP_RTPPacketizer *builder, u8 *data, u32 d + mpv_hdr[3] = 0; + + if ((pic_type==2) || (pic_type== 3)) { ++ if (data_size<5) return GF_NON_COMPLIANT_BITSTREAM; + mpv_hdr[3] = (u8) ((((u32)payload[3]) << 5) & 0xf); + if ((payload[4] & 0x80) != 0) mpv_hdr[3] |= 0x10; + if (pic_type == 3) mpv_hdr[3] |= (payload[4] >> 3) & 0xf; +-- +2.39.2 + diff -Nru gpac-1.0.1+dfsg1/debian/patches/CVE-2021-36414.patch gpac-1.0.1+dfsg1/debian/patches/CVE-2021-36414.patch --- gpac-1.0.1+dfsg1/debian/patches/CVE-2021-36414.patch 1970-01-01 00:00:00.000000000 +0000 +++ gpac-1.0.1+dfsg1/debian/patches/CVE-2021-36414.patch 2023-04-26 17:15:56.000000000 +0000 @@ -0,0 +1,43 @@ +From 6007c7145eb0fcd29fe05b6e5983a065b42c6b21 Mon Sep 17 00:00:00 2001 +From: jeanlf +Date: Mon, 5 Jul 2021 16:50:03 +0200 +Subject: [PATCH] fixed #1840 + +--- + src/isomedia/isom_write.c | 6 +++++- + src/isomedia/media.c | 2 +- + 2 files changed, 6 insertions(+), 2 deletions(-) + +diff --git a/src/isomedia/isom_write.c b/src/isomedia/isom_write.c +index 4f005764c..12d67dabe 100644 +--- a/src/isomedia/isom_write.c ++++ b/src/isomedia/isom_write.c +@@ -6863,7 +6863,11 @@ GF_Err gf_isom_set_ctts_v1(GF_ISOFile *file, u32 track, u32 ctts_shift) + if (!trak) return GF_BAD_PARAM; + + ctts = trak->Media->information->sampleTable->CompositionOffset; +- shift = ctts->version ? ctts_shift : ctts->entries[0].decodingOffset; ++ if (ctts->version) { ++ shift = ctts_shift; ++ } else { ++ shift = ctts->nb_entries ? ctts->entries[0].decodingOffset : 0; ++ } + leastCTTS = GF_INT_MAX; + greatestCTTS = 0; + for (i=0; inb_entries; i++) { +diff --git a/src/isomedia/media.c b/src/isomedia/media.c +index 7ce8d1d01..9197935da 100644 +--- a/src/isomedia/media.c ++++ b/src/isomedia/media.c +@@ -99,7 +99,7 @@ static GF_Err gf_isom_get_3gpp_audio_esd(GF_SampleTableBox *stbl, u32 type, GF_G + memset(szName, 0, 80); + strcpy(szName, "QCELP-13K(GPAC-emulated)"); + gf_bs_write_data(bs, szName, 80); +- ent = &stbl->TimeToSample->entries[0]; ++ ent = stbl->TimeToSample->nb_entries ? &stbl->TimeToSample->entries[0] : NULL; + sample_rate = entry->samplerate_hi; + block_size = ent ? ent->sampleDelta : 160; + gf_bs_write_u16_le(bs, 8*sample_size*sample_rate/block_size); +-- +2.39.2 + diff -Nru gpac-1.0.1+dfsg1/debian/patches/CVE-2021-36417.patch gpac-1.0.1+dfsg1/debian/patches/CVE-2021-36417.patch --- gpac-1.0.1+dfsg1/debian/patches/CVE-2021-36417.patch 1970-01-01 00:00:00.000000000 +0000 +++ gpac-1.0.1+dfsg1/debian/patches/CVE-2021-36417.patch 2023-04-26 17:32:15.000000000 +0000 @@ -0,0 +1,157 @@ +Backported from https://github.com/gpac/gpac/commit/737e1f39da80e02912953269966d89afd196ad30 + +diff --git a/src/isomedia/avc_ext.c b/src/isomedia/avc_ext.c +index a234825fa..673951b19 100644 +--- a/src/isomedia/avc_ext.c ++++ b/src/isomedia/avc_ext.c +@@ -2286,7 +2286,7 @@ GF_AVCConfig *gf_isom_avc_config_get(GF_ISOFile *the_file, u32 trackNumber, u32 + + entry = (GF_MPEGVisualSampleEntryBox*)gf_list_get(trak->Media->information->sampleTable->SampleDescription->child_boxes, DescriptionIndex-1); + if (!entry) return NULL; +- ++ if (entry->internal_type != GF_ISOM_SAMPLE_ENTRY_VIDEO) return NULL; + if (!entry->avc_config) return NULL; + return AVC_DuplicateConfig(entry->avc_config->config); + } +@@ -2309,6 +2309,7 @@ GF_HEVCConfig *gf_isom_hevc_config_get(GF_ISOFile *the_file, u32 trackNumber, u3 + return NULL; + entry = (GF_MPEGVisualSampleEntryBox*)gf_list_get(trak->Media->information->sampleTable->SampleDescription->child_boxes, DescriptionIndex-1); + if (!entry) return NULL; ++ if (entry->internal_type != GF_ISOM_SAMPLE_ENTRY_VIDEO) return NULL; + if (!entry->hevc_config) return NULL; + return HEVC_DuplicateConfig(entry->hevc_config->config); + } +@@ -2372,6 +2375,7 @@ GF_AVCConfig *gf_isom_svc_config_get(GF_ISOFile *the_file, u32 trackNumber, u32 + return NULL; + entry = (GF_MPEGVisualSampleEntryBox*)gf_list_get(trak->Media->information->sampleTable->SampleDescription->child_boxes, DescriptionIndex-1); + if (!entry) return NULL; ++ if (entry->internal_type != GF_ISOM_SAMPLE_ENTRY_VIDEO) return NULL; + if (!entry->svc_config) return NULL; + return AVC_DuplicateConfig(entry->svc_config->config); + } +@@ -2388,6 +2392,7 @@ GF_AVCConfig *gf_isom_mvc_config_get(GF_ISOFile *the_file, u32 trackNumber, u32 + return NULL; + entry = (GF_MPEGVisualSampleEntryBox*)gf_list_get(trak->Media->information->sampleTable->SampleDescription->child_boxes, DescriptionIndex-1); + if (!entry) return NULL; ++ if (entry->internal_type != GF_ISOM_SAMPLE_ENTRY_VIDEO) return NULL; + if (!entry->mvc_config) return NULL; + return AVC_DuplicateConfig(entry->mvc_config->config); + } +@@ -2407,7 +2412,9 @@ GF_AV1Config *gf_isom_av1_config_get(GF_ISOFile *the_file, u32 trackNumber, u32 + trak = gf_isom_get_track_from_file(the_file, trackNumber); + if (!trak || !trak->Media || !DescriptionIndex) return NULL; + entry = (GF_MPEGVisualSampleEntryBox*)gf_list_get(trak->Media->information->sampleTable->SampleDescription->child_boxes, DescriptionIndex - 1); +- if (!entry || !entry->av1_config|| !entry->av1_config->config) return NULL; ++ if (!entry) return NULL; ++ if (entry->internal_type != GF_ISOM_SAMPLE_ENTRY_VIDEO) return NULL; ++ if (!entry->av1_config|| !entry->av1_config->config) return NULL; + return AV1_DuplicateConfig(entry->av1_config->config); + } + +@@ -2420,7 +2427,9 @@ GF_VPConfig *gf_isom_vp_config_get(GF_ISOFile *the_file, u32 trackNumber, u32 De + trak = gf_isom_get_track_from_file(the_file, trackNumber); + if (!trak || !trak->Media || !DescriptionIndex) return NULL; + entry = (GF_MPEGVisualSampleEntryBox*)gf_list_get(trak->Media->information->sampleTable->SampleDescription->child_boxes, DescriptionIndex - 1); +- if (!entry || !entry->vp_config) return NULL; ++ if (!entry) return NULL; ++ if (entry->internal_type != GF_ISOM_SAMPLE_ENTRY_VIDEO) return NULL; ++ if (!entry->vp_config || !entry->vp_config->config) return NULL; + return VP_DuplicateConfig(entry->vp_config->config); + } + +@@ -2432,7 +2441,9 @@ GF_DOVIDecoderConfigurationRecord *gf_isom_dovi_config_get(GF_ISOFile* the_file, + trak = gf_isom_get_track_from_file(the_file, trackNumber); + if (!trak || !trak->Media || !DescriptionIndex) return NULL; + entry = (GF_MPEGVisualSampleEntryBox*)gf_list_get(trak->Media->information->sampleTable->SampleDescription->child_boxes, DescriptionIndex - 1); +- if (!entry || !entry->dovi_config) return NULL; ++ if (!entry) return NULL; ++ if (entry->internal_type != GF_ISOM_SAMPLE_ENTRY_VIDEO) return NULL; ++ if (!entry->dovi_config) return NULL; + return DOVI_DuplicateConfig(&entry->dovi_config->DOVIConfig); + } + +@@ -2449,6 +2460,7 @@ GF_ISOMAVCType gf_isom_get_avc_svc_type(GF_ISOFile *the_file, u32 trackNumber, u + + entry = (GF_MPEGVisualSampleEntryBox*)gf_list_get(trak->Media->information->sampleTable->SampleDescription->child_boxes, DescriptionIndex-1); + if (!entry) return GF_ISOM_AVCTYPE_NONE; ++ if (entry->internal_type != GF_ISOM_SAMPLE_ENTRY_VIDEO) return GF_ISOM_AVCTYPE_NONE; + + type = entry->type; + +@@ -2491,6 +2503,7 @@ GF_ISOMHEVCType gf_isom_get_hevc_lhvc_type(GF_ISOFile *the_file, u32 trackNumber + return GF_ISOM_HEVCTYPE_NONE; + entry = (GF_MPEGVisualSampleEntryBox*)gf_list_get(trak->Media->information->sampleTable->SampleDescription->child_boxes, DescriptionIndex-1); + if (!entry) return GF_ISOM_HEVCTYPE_NONE; ++ if (entry->internal_type != GF_ISOM_SAMPLE_ENTRY_VIDEO) return GF_ISOM_HEVCTYPE_NONE; + type = entry->type; + + if (type == GF_ISOM_BOX_TYPE_ENCV) { +@@ -2536,6 +2549,7 @@ GF_HEVCConfig *gf_isom_lhvc_config_get(GF_ISOFile *the_file, u32 trackNumber, u3 + return NULL; + entry = (GF_MPEGVisualSampleEntryBox*)gf_list_get(trak->Media->information->sampleTable->SampleDescription->child_boxes, DescriptionIndex-1); + if (!entry) return NULL; ++ if (entry->internal_type != GF_ISOM_SAMPLE_ENTRY_VIDEO) return NULL; + if (!entry->lhvc_config) return NULL; + lhvc = HEVC_DuplicateConfig(entry->lhvc_config->config); + if (!lhvc) return NULL; +diff --git a/src/isomedia/sample_descs.c b/src/isomedia/sample_descs.c +index b0b65aa77..fd1c57cb6 100644 +--- a/src/isomedia/sample_descs.c ++++ b/src/isomedia/sample_descs.c +@@ -314,10 +314,12 @@ GF_3GPConfig *gf_isom_3gp_config_get(GF_ISOFile *the_file, u32 trackNumber, u32 + case GF_ISOM_SUBTYPE_3GP_EVRC: + case GF_ISOM_SUBTYPE_3GP_QCELP: + case GF_ISOM_SUBTYPE_3GP_SMV: ++ if (entry->internal_type != GF_ISOM_SAMPLE_ENTRY_AUDIO) return NULL; + if (! ((GF_MPEGAudioSampleEntryBox*)entry)->cfg_3gpp) return NULL; + config = & ((GF_MPEGAudioSampleEntryBox*)entry)->cfg_3gpp->cfg; + break; + case GF_ISOM_SUBTYPE_3GP_H263: ++ if (entry->internal_type != GF_ISOM_SAMPLE_ENTRY_VIDEO) return NULL; + if (! ((GF_MPEGVisualSampleEntryBox*)entry)->cfg_3gpp) return NULL; + config = & ((GF_MPEGVisualSampleEntryBox*)entry)->cfg_3gpp->cfg; + break; +@@ -342,8 +344,9 @@ GF_AC3Config *gf_isom_ac3_config_get(GF_ISOFile *the_file, u32 trackNumber, u32 + if (!trak || !StreamDescriptionIndex) return NULL; + + entry = (GF_MPEGAudioSampleEntryBox *)gf_list_get(trak->Media->information->sampleTable->SampleDescription->child_boxes, StreamDescriptionIndex-1); +- if (!entry || !entry->cfg_ac3) return NULL; ++ if (!entry) return NULL; + if (!entry->cfg_ac3) return NULL; ++ if (entry->internal_type != GF_ISOM_SAMPLE_ENTRY_AUDIO) return NULL; + if ( (entry->cfg_ac3->type!=GF_ISOM_BOX_TYPE_DAC3) && (entry->cfg_ac3->type!=GF_ISOM_BOX_TYPE_DEC3) ) return NULL; + + res = (GF_AC3Config*)gf_malloc(sizeof(GF_AC3Config)); +@@ -364,6 +367,8 @@ GF_Err gf_isom_flac_config_get(GF_ISOFile *the_file, u32 trackNumber, u32 Stream + if (!trak || !StreamDescriptionIndex) return GF_BAD_PARAM; + + entry = (GF_MPEGAudioSampleEntryBox *)gf_list_get(trak->Media->information->sampleTable->SampleDescription->child_boxes, StreamDescriptionIndex-1); ++ if (!entry) return GF_BAD_PARAM; ++ if (entry->internal_type != GF_ISOM_SAMPLE_ENTRY_AUDIO) return GF_BAD_PARAM; + + type = entry->type; + if (type==GF_ISOM_BOX_TYPE_ENCA) { +@@ -492,6 +498,8 @@ GF_Err gf_isom_opus_config_get(GF_ISOFile *the_file, u32 trackNumber, u32 Stream + if (!trak || !StreamDescriptionIndex) return GF_BAD_PARAM; + + entry = (GF_MPEGAudioSampleEntryBox *)gf_list_get(trak->Media->information->sampleTable->SampleDescription->child_boxes, StreamDescriptionIndex-1); ++ if (!entry) return GF_BAD_PARAM; ++ if (entry->internal_type != GF_ISOM_SAMPLE_ENTRY_AUDIO) return GF_BAD_PARAM; + + type = entry->type; + if (type==GF_ISOM_BOX_TYPE_ENCA) { +@@ -634,9 +642,11 @@ GF_Err gf_isom_3gp_config_update(GF_ISOFile *the_file, u32 trackNumber, GF_3GPCo + case GF_ISOM_SUBTYPE_3GP_EVRC: + case GF_ISOM_SUBTYPE_3GP_QCELP: + case GF_ISOM_SUBTYPE_3GP_SMV: ++ if (a_entry->internal_type != GF_ISOM_SAMPLE_ENTRY_AUDIO) return GF_ISOM_INVALID_FILE; + cfg = &a_entry->cfg_3gpp->cfg; + break; + case GF_ISOM_SUBTYPE_3GP_H263: ++ if (v_entry->internal_type != GF_ISOM_SAMPLE_ENTRY_VIDEO) return GF_ISOM_INVALID_FILE; + cfg = & v_entry->cfg_3gpp->cfg; + break; + default: +-- +2.39.2 + diff -Nru gpac-1.0.1+dfsg1/debian/patches/CVE-2021-4043.patch gpac-1.0.1+dfsg1/debian/patches/CVE-2021-4043.patch --- gpac-1.0.1+dfsg1/debian/patches/CVE-2021-4043.patch 1970-01-01 00:00:00.000000000 +0000 +++ gpac-1.0.1+dfsg1/debian/patches/CVE-2021-4043.patch 2023-04-26 17:06:32.000000000 +0000 @@ -0,0 +1,32 @@ +From 64a2e1b799352ac7d7aad1989bc06e7b0f2b01db Mon Sep 17 00:00:00 2001 +From: jeanlf +Date: Tue, 1 Feb 2022 15:28:23 +0100 +Subject: [PATCH] fixed #2092 + +--- + src/isomedia/box_code_base.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/src/isomedia/box_code_base.c b/src/isomedia/box_code_base.c +index b3c38310a..126084b0e 100644 +--- a/src/isomedia/box_code_base.c ++++ b/src/isomedia/box_code_base.c +@@ -11083,10 +11083,12 @@ void gitn_box_del(GF_Box *s) + u32 i; + GroupIdToNameBox *ptr = (GroupIdToNameBox *)s; + if (ptr == NULL) return; +- for (i=0; inb_entries; i++) { +- if (ptr->entries[i].name) gf_free(ptr->entries[i].name); ++ if (ptr->entries) { ++ for (i=0; inb_entries; i++) { ++ if (ptr->entries[i].name) gf_free(ptr->entries[i].name); ++ } ++ gf_free(ptr->entries); + } +- if (ptr->entries) gf_free(ptr->entries); + gf_free(ptr); + } + +-- +2.39.2 + diff -Nru gpac-1.0.1+dfsg1/debian/patches/CVE-2021-40559.patch gpac-1.0.1+dfsg1/debian/patches/CVE-2021-40559.patch --- gpac-1.0.1+dfsg1/debian/patches/CVE-2021-40559.patch 1970-01-01 00:00:00.000000000 +0000 +++ gpac-1.0.1+dfsg1/debian/patches/CVE-2021-40559.patch 2023-05-17 10:22:33.000000000 +0000 @@ -0,0 +1,93 @@ +Origin: https://github.com/gpac/gpac/commit/70607fc71a671cf48a05e013a4e411429373dce7 +Reviewed-by: Aron Xu + +From 70607fc71a671cf48a05e013a4e411429373dce7 Mon Sep 17 00:00:00 2001 +From: Aurelien David +Date: Tue, 24 Aug 2021 18:16:50 +0200 +Subject: [PATCH] add some null guards to prevent segfaults + +closes #1884, #1886 +--- + src/filters/reframe_nalu.c | 12 ++++++------ + src/isomedia/isom_intern.c | 12 +++++++----- + 2 files changed, 13 insertions(+), 11 deletions(-) + +Index: gpac-1.0.1+dfsg1/src/filters/reframe_nalu.c +=================================================================== +--- gpac-1.0.1+dfsg1.orig/src/filters/reframe_nalu.c ++++ gpac-1.0.1+dfsg1/src/filters/reframe_nalu.c +@@ -314,7 +314,7 @@ GF_Err naludmx_configure_pid(GF_Filter * + ctx->ps_modified = GF_TRUE; + ctx->crc_cfg = ctx->crc_cfg_enh = 0; + } +- ++ + return GF_OK; + } + +@@ -694,7 +694,7 @@ GF_Err naludmx_set_hevc_oinf(GF_NALUDmxC + if (!vps_sl) return GF_SERVICE_ERROR; + + vps = &ctx->hevc_state->vps[vps_sl->id]; +- ++ + if (!vps->vps_extension_found) return GF_OK; + if (vps->max_layers<2) return GF_OK; + +@@ -836,7 +836,7 @@ static void naludmx_set_hevc_linf(GF_NAL + return; + + bs = gf_bs_new(NULL, 0, GF_BITSTREAM_WRITE); +- ++ + gf_bs_write_int(bs, 0, 2); + gf_bs_write_int(bs, nb_layers, 6); + for (i=0; inb_nalus++; +- ++ + switch (nal_type) { + case GF_AVC_NALU_SVC_SUBSEQ_PARAM: + case GF_AVC_NALU_SEQ_PARAM: +@@ -1999,7 +1999,7 @@ static s32 naludmx_parse_nal_avc(GF_NALU + u32 i; + for (i = 0; i < gf_list_count(ctx->pps); i ++) { + GF_AVCConfigSlot *slc = (GF_AVCConfigSlot*)gf_list_get(ctx->pps, i); +- if (ctx->avc_state->s_info.pps->id == slc->id) { ++ if (ctx->avc_state->s_info.pps && ctx->avc_state->s_info.pps->id == slc->id) { + /* This PPS is used by an SVC NAL unit, it should be moved to the SVC Config Record) */ + gf_list_rem(ctx->pps, i); + i--; +@@ -2367,7 +2367,7 @@ naldmx_flush: + if (!ctx->opid && current) { + assert(remain>=current); + assert((s32) current >= 0); +- ++ + start += current; + remain -= current; + current = 0; +Index: gpac-1.0.1+dfsg1/src/isomedia/isom_intern.c +=================================================================== +--- gpac-1.0.1+dfsg1.orig/src/isomedia/isom_intern.c ++++ gpac-1.0.1+dfsg1/src/isomedia/isom_intern.c +@@ -499,10 +499,12 @@ GF_Err gf_isom_parse_movie_boxes(GF_ISOF + //we should only parse senc/psec when no saiz/saio is present, otherwise we fetch the info directly + if (traf->trex && traf->tfhd && traf->trex->track && traf->sample_encryption) { + GF_TrackBox *trak = GetTrackbyID(mov->moov, traf->tfhd->trackID); +- trak->current_traf_stsd_idx = traf->tfhd->sample_desc_index ? traf->tfhd->sample_desc_index : traf->trex->def_sample_desc_index; +- e = senc_Parse(mov->movieFileMap->bs, trak, traf, traf->sample_encryption); +- if (e) return e; +- trak->current_traf_stsd_idx = 0; ++ if (trak) { ++ trak->current_traf_stsd_idx = traf->tfhd->sample_desc_index ? traf->tfhd->sample_desc_index : traf->trex->def_sample_desc_index; ++ e = senc_Parse(mov->movieFileMap->bs, trak, traf, traf->sample_encryption); ++ if (e) return e; ++ trak->current_traf_stsd_idx = 0; ++ } + } + } + } else { diff -Nru gpac-1.0.1+dfsg1/debian/patches/CVE-2021-40562.patch gpac-1.0.1+dfsg1/debian/patches/CVE-2021-40562.patch --- gpac-1.0.1+dfsg1/debian/patches/CVE-2021-40562.patch 1970-01-01 00:00:00.000000000 +0000 +++ gpac-1.0.1+dfsg1/debian/patches/CVE-2021-40562.patch 2023-05-17 10:24:30.000000000 +0000 @@ -0,0 +1,28 @@ +From 5dd71c7201a3e5cf40732d585bfb21c906c171d3 Mon Sep 17 00:00:00 2001 +From: jeanlf +Date: Mon, 30 Aug 2021 17:26:28 +0200 +Subject: [PATCH] fixed #1901 + +--- + src/filters/reframe_nalu.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/filters/reframe_nalu.c b/src/filters/reframe_nalu.c +index aad8ad964..812c8e1ec 100644 +--- a/src/filters/reframe_nalu.c ++++ b/src/filters/reframe_nalu.c +@@ -1352,9 +1352,9 @@ void naludmx_create_avc_decoder_config(GF_NALUDmxCtx *ctx, u8 **dsi, u32 *dsi_si + else + DeltaTfiDivisorIdx = (ctx->avc_state->sei.pic_timing.pic_struct+1) / 2; + } +- if (!ctx->timescale) { ++ if (!ctx->timescale && sps->vui.time_scale && sps->vui.num_units_in_tick) { + ctx->cur_fps.num = 2 * sps->vui.time_scale; +- ctx->cur_fps.den = 2 * sps->vui.num_units_in_tick * DeltaTfiDivisorIdx; ++ ctx->cur_fps.den = 2 * sps->vui.num_units_in_tick * DeltaTfiDivisorIdx; + + if (!ctx->fps.num && ctx->dts==ctx->fps.den) + ctx->dts = ctx->cur_fps.den; +-- +2.39.2 + diff -Nru gpac-1.0.1+dfsg1/debian/patches/CVE-2021-40563.patch gpac-1.0.1+dfsg1/debian/patches/CVE-2021-40563.patch --- gpac-1.0.1+dfsg1/debian/patches/CVE-2021-40563.patch 1970-01-01 00:00:00.000000000 +0000 +++ gpac-1.0.1+dfsg1/debian/patches/CVE-2021-40563.patch 2023-05-17 12:39:16.000000000 +0000 @@ -0,0 +1,26 @@ +From 5ce0c906ed8599d218036b18b78e8126a496f137 Mon Sep 17 00:00:00 2001 +From: jeanlf +Date: Mon, 30 Aug 2021 16:06:09 +0200 +Subject: [PATCH] fixed #1892 + +--- + src/filters/reframe_nalu.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +Index: gpac-1.0.1+dfsg1/src/filters/reframe_nalu.c +=================================================================== +--- gpac-1.0.1+dfsg1.orig/src/filters/reframe_nalu.c ++++ gpac-1.0.1+dfsg1/src/filters/reframe_nalu.c +@@ -1414,8 +1414,10 @@ static void naludmx_queue_param_set(GF_N + { + GF_List *list = NULL, *alt_list = NULL; + GF_AVCConfigSlot *sl; +- u32 i, count; +- u32 crc = gf_crc_32(data, size); ++ u32 i, count, crc; ++ ++ if (!size) return; ++ crc = gf_crc_32(data, size); + + if (ctx->is_hevc) { + switch (ps_type) { diff -Nru gpac-1.0.1+dfsg1/debian/patches/CVE-2021-40564.patch gpac-1.0.1+dfsg1/debian/patches/CVE-2021-40564.patch --- gpac-1.0.1+dfsg1/debian/patches/CVE-2021-40564.patch 1970-01-01 00:00:00.000000000 +0000 +++ gpac-1.0.1+dfsg1/debian/patches/CVE-2021-40564.patch 2023-05-17 12:42:36.000000000 +0000 @@ -0,0 +1,22 @@ +From cf6771c857eb9a290e2c19ddacfdd3ed98b27618 Mon Sep 17 00:00:00 2001 +From: jeanlf +Date: Mon, 30 Aug 2021 17:09:02 +0200 +Subject: [PATCH] fixed #1898 + +--- + src/media_tools/av_parsers.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +Index: gpac-1.0.1+dfsg1/src/media_tools/av_parsers.c +=================================================================== +--- gpac-1.0.1+dfsg1.orig/src/media_tools/av_parsers.c ++++ gpac-1.0.1+dfsg1/src/media_tools/av_parsers.c +@@ -5559,7 +5559,7 @@ static s32 avc_parse_slice(GF_BitStream + if (si->slice_type > 9) return -1; + + pps_id = gf_bs_get_ue(bs); +- if (pps_id > 255) return -1; ++ if ((pps_id < 0) || (pps_id > 255)) return -1; + si->pps = &avc->pps[pps_id]; + if (!si->pps->slice_group_count) return -2; + si->sps = &avc->sps[si->pps->sps_id]; diff -Nru gpac-1.0.1+dfsg1/debian/patches/CVE-2021-40565.patch gpac-1.0.1+dfsg1/debian/patches/CVE-2021-40565.patch --- gpac-1.0.1+dfsg1/debian/patches/CVE-2021-40565.patch 1970-01-01 00:00:00.000000000 +0000 +++ gpac-1.0.1+dfsg1/debian/patches/CVE-2021-40565.patch 2023-05-17 12:43:10.000000000 +0000 @@ -0,0 +1,26 @@ +From 893fb99b606eebfae46cde151846a980e689039b Mon Sep 17 00:00:00 2001 +From: jeanlf +Date: Mon, 30 Aug 2021 17:29:13 +0200 +Subject: [PATCH] fixed #1902 + +--- + src/media_tools/av_parsers.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/src/media_tools/av_parsers.c b/src/media_tools/av_parsers.c +index 96d279742..1ab1a5373 100644 +--- a/src/media_tools/av_parsers.c ++++ b/src/media_tools/av_parsers.c +@@ -6113,7 +6113,8 @@ s32 gf_avc_parse_nalu(GF_BitStream *bs, AVCState *avc) + ret = 1; + break; + } +- assert(avc->s_info.sps); ++ if (!avc->s_info.sps) ++ return -1; + + if (avc->s_info.sps->poc_type == n_state.sps->poc_type) { + if (!avc->s_info.sps->poc_type) { +-- +2.39.2 + diff -Nru gpac-1.0.1+dfsg1/debian/patches/CVE-2021-40566.patch gpac-1.0.1+dfsg1/debian/patches/CVE-2021-40566.patch --- gpac-1.0.1+dfsg1/debian/patches/CVE-2021-40566.patch 1970-01-01 00:00:00.000000000 +0000 +++ gpac-1.0.1+dfsg1/debian/patches/CVE-2021-40566.patch 2023-05-17 12:44:37.000000000 +0000 @@ -0,0 +1,76 @@ +From 96047e0e6166407c40cc19f4e94fb35cd7624391 Mon Sep 17 00:00:00 2001 +From: jeanlf +Date: Mon, 30 Aug 2021 15:46:16 +0200 +Subject: [PATCH] fixed #1887 + +--- + src/filters/dec_xvid.c | 2 +- + src/filters/reframe_mpgvid.c | 30 ++++++++++++++++++++---------- + 2 files changed, 21 insertions(+), 11 deletions(-) + +diff --git a/src/filters/dec_xvid.c b/src/filters/dec_xvid.c +index dff56bf10..ab86d85b1 100644 +--- a/src/filters/dec_xvid.c ++++ b/src/filters/dec_xvid.c +@@ -181,7 +181,7 @@ static GF_Err xviddec_configure_pid(GF_Filter *filter, GF_FilterPid *pid, Bool i + /*decode DSI*/ + e = gf_m4v_get_config(p->value.data.ptr, p->value.data.size, &dsi); + if (e) return e; +- if (!dsi.width || !dsi.height) return GF_NON_COMPLIANT_BITSTREAM; ++ if (!dsi.width || (dsi.width%2) || !dsi.height) return GF_NON_COMPLIANT_BITSTREAM; + + memset(&par, 0, sizeof(par)); + par.width = dsi.width; +diff --git a/src/filters/reframe_mpgvid.c b/src/filters/reframe_mpgvid.c +index 308546f28..328db2855 100644 +--- a/src/filters/reframe_mpgvid.c ++++ b/src/filters/reframe_mpgvid.c +@@ -805,12 +805,17 @@ GF_Err mpgviddmx_process(GF_Filter *filter) + //not enough data, accumulate until we can parse the full header + if (e==GF_EOS) { + if (vosh_start<0) vosh_start = 0; +- if (ctx->hdr_store_alloc < ctx->hdr_store_size + pck_size - vosh_start) { +- ctx->hdr_store_alloc = (u32) (ctx->hdr_store_size + pck_size - vosh_start); +- ctx->hdr_store = gf_realloc(ctx->hdr_store, sizeof(char)*ctx->hdr_store_alloc); ++ if (data == ctx->hdr_store) { ++ memmove(ctx->hdr_store, start, remain); ++ ctx->hdr_store_size = remain; ++ } else { ++ if (ctx->hdr_store_alloc < ctx->hdr_store_size + pck_size - vosh_start) { ++ ctx->hdr_store_alloc = (u32) (ctx->hdr_store_size + pck_size - vosh_start); ++ ctx->hdr_store = gf_realloc(ctx->hdr_store, sizeof(char)*ctx->hdr_store_alloc); ++ } ++ memcpy(ctx->hdr_store + ctx->hdr_store_size, data + vosh_start, (size_t) (pck_size - vosh_start) ); ++ ctx->hdr_store_size += pck_size - (u32) vosh_start; + } +- memcpy(ctx->hdr_store + ctx->hdr_store_size, data + vosh_start, (size_t) (pck_size - vosh_start) ); +- ctx->hdr_store_size += pck_size - (u32) vosh_start; + gf_filter_pid_drop_packet(ctx->ipid); + return GF_OK; + } else if (e != GF_OK) { +@@ -844,12 +849,17 @@ GF_Err mpgviddmx_process(GF_Filter *filter) + //not enough data, accumulate until we can parse the full header + if (e==GF_EOS) { + if (vosh_start<0) vosh_start = 0; +- if (ctx->hdr_store_alloc < ctx->hdr_store_size + pck_size - vosh_start) { +- ctx->hdr_store_alloc = (u32) (ctx->hdr_store_size + pck_size - (u32) vosh_start); +- ctx->hdr_store = gf_realloc(ctx->hdr_store, sizeof(char)*ctx->hdr_store_alloc); ++ if (data == ctx->hdr_store) { ++ memmove(ctx->hdr_store, start, remain); ++ ctx->hdr_store_size = remain; ++ } else { ++ if (ctx->hdr_store_alloc < ctx->hdr_store_size + pck_size - vosh_start) { ++ ctx->hdr_store_alloc = (u32) (ctx->hdr_store_size + pck_size - (u32) vosh_start); ++ ctx->hdr_store = gf_realloc(ctx->hdr_store, sizeof(char)*ctx->hdr_store_alloc); ++ } ++ memcpy(ctx->hdr_store + ctx->hdr_store_size, data + vosh_start, (size_t) (pck_size - vosh_start) ); ++ ctx->hdr_store_size += pck_size - (u32) vosh_start; + } +- memcpy(ctx->hdr_store + ctx->hdr_store_size, data + vosh_start, (size_t) (pck_size - vosh_start) ); +- ctx->hdr_store_size += pck_size - (u32) vosh_start; + gf_filter_pid_drop_packet(ctx->ipid); + return GF_OK; + } else if (e != GF_OK) { +-- +2.39.2 + diff -Nru gpac-1.0.1+dfsg1/debian/patches/CVE-2021-40567.patch gpac-1.0.1+dfsg1/debian/patches/CVE-2021-40567.patch --- gpac-1.0.1+dfsg1/debian/patches/CVE-2021-40567.patch 1970-01-01 00:00:00.000000000 +0000 +++ gpac-1.0.1+dfsg1/debian/patches/CVE-2021-40567.patch 2023-05-17 12:47:03.000000000 +0000 @@ -0,0 +1,21 @@ +From f5a038e6893019ee471b6a57490cf7a495673816 Mon Sep 17 00:00:00 2001 +From: jeanlf +Date: Mon, 30 Aug 2021 14:53:51 +0200 +Subject: [PATCH] fixed #1885 + +--- + src/media_tools/isom_hinter.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +Index: gpac-1.0.1+dfsg1/src/media_tools/isom_hinter.c +=================================================================== +--- gpac-1.0.1+dfsg1.orig/src/media_tools/isom_hinter.c ++++ gpac-1.0.1+dfsg1/src/media_tools/isom_hinter.c +@@ -1237,6 +1237,7 @@ GF_Err gf_hinter_finalize(GF_ISOFile *fi + samp = gf_isom_get_sample(file, sceneT, 1, &descIndex); + if (gf_hinter_can_embbed_data(samp->data, samp->dataLength, GF_STREAM_SCENE)) { + ++ InitSL_NULL(&slc); + slc.timeScale = slc.timestampResolution = gf_isom_get_media_timescale(file, sceneT); + slc.OCRResolution = 1000; + slc.startCTS = samp->DTS+samp->CTS_Offset; diff -Nru gpac-1.0.1+dfsg1/debian/patches/CVE-2021-40568.patch gpac-1.0.1+dfsg1/debian/patches/CVE-2021-40568.patch --- gpac-1.0.1+dfsg1/debian/patches/CVE-2021-40568.patch 1970-01-01 00:00:00.000000000 +0000 +++ gpac-1.0.1+dfsg1/debian/patches/CVE-2021-40568.patch 2023-05-17 12:50:31.000000000 +0000 @@ -0,0 +1,22 @@ +From f1ae01d745200a258cdf62622f71754c37cb6c30 Mon Sep 17 00:00:00 2001 +From: jeanlf +Date: Mon, 30 Aug 2021 17:20:00 +0200 +Subject: [PATCH] fixed #1900 + +--- + src/media_tools/av_parsers.c | 23 +++++++++++++---------- + 1 file changed, 13 insertions(+), 10 deletions(-) + +Index: gpac-1.0.1+dfsg1/src/media_tools/av_parsers.c +=================================================================== +--- gpac-1.0.1+dfsg1.orig/src/media_tools/av_parsers.c ++++ gpac-1.0.1+dfsg1/src/media_tools/av_parsers.c +@@ -5669,7 +5669,7 @@ static s32 svc_parse_slice(GF_BitStream + if (si->slice_type > 9) return -1; + + pps_id = gf_bs_get_ue(bs); +- if (pps_id > 255) ++ if ((pps_id < 0) || (pps_id > 255)) + return -1; + si->pps = &avc->pps[pps_id]; + si->pps->id = pps_id; diff -Nru gpac-1.0.1+dfsg1/debian/patches/CVE-2021-40569.patch gpac-1.0.1+dfsg1/debian/patches/CVE-2021-40569.patch --- gpac-1.0.1+dfsg1/debian/patches/CVE-2021-40569.patch 1970-01-01 00:00:00.000000000 +0000 +++ gpac-1.0.1+dfsg1/debian/patches/CVE-2021-40569.patch 2023-05-18 06:12:16.000000000 +0000 @@ -0,0 +1,36 @@ +From b03c9f252526bb42fbd1b87b9f5e339c3cf2390a Mon Sep 17 00:00:00 2001 +From: jeanlf +Date: Mon, 30 Aug 2021 15:55:13 +0200 +Subject: [PATCH] fixed #1890 + +--- + src/isomedia/box_code_meta.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/src/isomedia/box_code_meta.c b/src/isomedia/box_code_meta.c +index e3f0556c0..cdd0948a6 100644 +--- a/src/isomedia/box_code_meta.c ++++ b/src/isomedia/box_code_meta.c +@@ -282,7 +282,8 @@ GF_Err iloc_box_read(GF_Box *s, GF_BitStream *bs) + } + + for (i = 0; i < item_count; i++) { +- GF_ItemLocationEntry *location_entry = (GF_ItemLocationEntry *)gf_malloc(sizeof(GF_ItemLocationEntry)); ++ GF_ItemLocationEntry *location_entry; ++ GF_SAFEALLOC(location_entry, GF_ItemLocationEntry); + if (!location_entry) return GF_OUT_OF_MEM; + + gf_list_add(ptr->location_entries, location_entry); +@@ -311,7 +312,8 @@ GF_Err iloc_box_read(GF_Box *s, GF_BitStream *bs) + extent_count = gf_bs_read_u16(bs); + location_entry->extent_entries = gf_list_new(); + for (j = 0; j < extent_count; j++) { +- GF_ItemExtentEntry *extent_entry = (GF_ItemExtentEntry *)gf_malloc(sizeof(GF_ItemExtentEntry)); ++ GF_ItemExtentEntry *extent_entry; ++ GF_SAFEALLOC(extent_entry, GF_ItemExtentEntry); + if (!extent_entry) return GF_OUT_OF_MEM; + + gf_list_add(location_entry->extent_entries, extent_entry); +-- +2.39.2 + diff -Nru gpac-1.0.1+dfsg1/debian/patches/CVE-2021-40570.patch gpac-1.0.1+dfsg1/debian/patches/CVE-2021-40570.patch --- gpac-1.0.1+dfsg1/debian/patches/CVE-2021-40570.patch 1970-01-01 00:00:00.000000000 +0000 +++ gpac-1.0.1+dfsg1/debian/patches/CVE-2021-40570.patch 2023-05-18 06:13:36.000000000 +0000 @@ -0,0 +1,21 @@ +From 04dbf08bff4d61948bab80c3f9096ecc60c7f302 Mon Sep 17 00:00:00 2001 +From: jeanlf +Date: Mon, 30 Aug 2021 17:15:34 +0200 +Subject: [PATCH] fixed #1899 + +--- + src/media_tools/av_parsers.c | 1 + + 1 file changed, 1 insertion(+) + +Index: gpac-1.0.1+dfsg1/src/media_tools/av_parsers.c +=================================================================== +--- gpac-1.0.1+dfsg1.orig/src/media_tools/av_parsers.c ++++ gpac-1.0.1+dfsg1/src/media_tools/av_parsers.c +@@ -5087,6 +5087,7 @@ static s32 gf_media_avc_read_sps_bs_inte + sps->offset_for_top_to_bottom_field = gf_bs_get_se(bs); + sps->poc_cycle_length = gf_bs_get_ue(bs); + if (sps->poc_cycle_length > GF_ARRAY_LENGTH(sps->offset_for_ref_frame)) { ++ sps->poc_cycle_length = 255; + GF_LOG(GF_LOG_ERROR, GF_LOG_CODING, ("[avc-h264] offset_for_ref_frame overflow from poc_cycle_length\n")); + return -1; + } diff -Nru gpac-1.0.1+dfsg1/debian/patches/CVE-2021-40571.patch gpac-1.0.1+dfsg1/debian/patches/CVE-2021-40571.patch --- gpac-1.0.1+dfsg1/debian/patches/CVE-2021-40571.patch 1970-01-01 00:00:00.000000000 +0000 +++ gpac-1.0.1+dfsg1/debian/patches/CVE-2021-40571.patch 2023-05-18 06:13:58.000000000 +0000 @@ -0,0 +1,24 @@ +From a69b567b8c95c72f9560c873c5ab348be058f340 Mon Sep 17 00:00:00 2001 +From: jeanlf +Date: Mon, 30 Aug 2021 16:24:05 +0200 +Subject: [PATCH] fixed #1895 + +--- + src/odf/descriptors.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/odf/descriptors.c b/src/odf/descriptors.c +index afc623729..c1970e820 100644 +--- a/src/odf/descriptors.c ++++ b/src/odf/descriptors.c +@@ -1613,6 +1613,7 @@ GF_AV1Config *gf_odf_av1_cfg_read_bs_size(GF_BitStream *bs, u32 size) + size -= (u32) obu_size; + } + gf_av1_reset_state(& state, GF_TRUE); ++ gf_bs_align(bs); + return cfg; + #else + return NULL; +-- +2.39.2 + diff -Nru gpac-1.0.1+dfsg1/debian/patches/CVE-2021-40572.patch gpac-1.0.1+dfsg1/debian/patches/CVE-2021-40572.patch --- gpac-1.0.1+dfsg1/debian/patches/CVE-2021-40572.patch 1970-01-01 00:00:00.000000000 +0000 +++ gpac-1.0.1+dfsg1/debian/patches/CVE-2021-40572.patch 2023-05-18 06:14:48.000000000 +0000 @@ -0,0 +1,29 @@ +From 7bb1b4a4dd23c885f9db9f577dfe79ecc5433109 Mon Sep 17 00:00:00 2001 +From: jeanlf +Date: Mon, 30 Aug 2021 16:15:32 +0200 +Subject: [PATCH] fixed #1893 + +--- + src/media_tools/av_parsers.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/src/media_tools/av_parsers.c b/src/media_tools/av_parsers.c +index 3ce9a9015..4ea0db8a9 100644 +--- a/src/media_tools/av_parsers.c ++++ b/src/media_tools/av_parsers.c +@@ -3980,10 +3980,8 @@ void gf_av1_reset_state(AV1State *state, Bool is_destroy) + gf_list_del(l1); + gf_list_del(l2); + if (state->bs) { +- if (gf_bs_get_position(state->bs)) { +- u32 size; +- gf_bs_get_content_no_truncate(state->bs, &state->frame_obus, &size, &state->frame_obus_alloc); +- } ++ u32 size; ++ gf_bs_get_content_no_truncate(state->bs, &state->frame_obus, &size, &state->frame_obus_alloc); + gf_bs_del(state->bs); + } + state->bs = NULL; +-- +2.39.2 + diff -Nru gpac-1.0.1+dfsg1/debian/patches/CVE-2021-40574.patch gpac-1.0.1+dfsg1/debian/patches/CVE-2021-40574.patch --- gpac-1.0.1+dfsg1/debian/patches/CVE-2021-40574.patch 1970-01-01 00:00:00.000000000 +0000 +++ gpac-1.0.1+dfsg1/debian/patches/CVE-2021-40574.patch 2023-05-18 06:26:19.000000000 +0000 @@ -0,0 +1,43 @@ +From 30ac5e5236b790accd1f25347eebf2dc8c6c1bcb Mon Sep 17 00:00:00 2001 +From: jeanlf +Date: Mon, 30 Aug 2021 16:57:38 +0200 +Subject: [PATCH] fixed #1897 + +--- + src/filters/load_text.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/src/filters/load_text.c b/src/filters/load_text.c +index 4f41d2d3b..b82d2991b 100644 +--- a/src/filters/load_text.c ++++ b/src/filters/load_text.c +@@ -255,7 +255,7 @@ char *gf_text_get_utf8_line(char *szLine, u32 lineSize, FILE *txt_in, s32 unicod + { + u32 i, j, len; + char *sOK; +- char szLineConv[1024]; ++ char szLineConv[2048]; + unsigned short *sptr; + + memset(szLine, 0, sizeof(char)*lineSize); +@@ -328,7 +328,7 @@ char *gf_text_get_utf8_line(char *szLine, u32 lineSize, FILE *txt_in, s32 unicod + } + } + sptr = (u16 *)szLine; +- i = (u32) gf_utf8_wcstombs(szLineConv, 1024, (const unsigned short **) &sptr); ++ i = (u32) gf_utf8_wcstombs(szLineConv, 2048, (const unsigned short **) &sptr); + szLineConv[i] = 0; + strcpy(szLine, szLineConv); + /*this is ugly indeed: since input is UTF16-LE, there are many chances the gf_fgets never reads the \0 after a \n*/ +@@ -2338,6 +2338,8 @@ static GF_Err gf_text_process_sub(GF_Filter *filter, GF_TXTIn *ctx) + while (szLine[i+1] && szLine[i+1]!='}') { + szTime[i] = szLine[i+1]; + i++; ++ if (i>=19) ++ break; + } + szTime[i] = 0; + ctx->start = atoi(szTime); +-- +2.39.2 + diff -Nru gpac-1.0.1+dfsg1/debian/patches/CVE-2021-40575.patch gpac-1.0.1+dfsg1/debian/patches/CVE-2021-40575.patch --- gpac-1.0.1+dfsg1/debian/patches/CVE-2021-40575.patch 1970-01-01 00:00:00.000000000 +0000 +++ gpac-1.0.1+dfsg1/debian/patches/CVE-2021-40575.patch 2023-05-18 06:29:33.000000000 +0000 @@ -0,0 +1,29 @@ +From 5f2c2a16d30229b6241f02fa28e3d6b810d64858 Mon Sep 17 00:00:00 2001 +From: jeanlf +Date: Wed, 1 Sep 2021 13:50:54 +0200 +Subject: [PATCH] fixed #1905 + +--- + src/filters/reframe_mpgvid.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +Index: gpac-1.0.1+dfsg1/src/filters/reframe_mpgvid.c +=================================================================== +--- gpac-1.0.1+dfsg1.orig/src/filters/reframe_mpgvid.c ++++ gpac-1.0.1+dfsg1/src/filters/reframe_mpgvid.c +@@ -760,8 +760,14 @@ GF_Err mpgviddmx_process(GF_Filter *filt + mpgviddmx_enqueue_or_dispatch(ctx, dst_pck, GF_FALSE, GF_FALSE); + } + +- //parse headers ++ //not enough bytes to parse start code ++ if (remain<5) { ++ memcpy(ctx->hdr_store, start, remain); ++ ctx->bytes_in_header = remain; ++ break; ++ } + ++ //parse headers + //we have a start code loaded, eg the data packet does not have a full start code at the begining + if (sc_type_forced) { + gf_bs_reassign_buffer(ctx->bs, start + hdr_offset, remain - hdr_offset); diff -Nru gpac-1.0.1+dfsg1/debian/patches/CVE-2021-40576_40606_40609.patch gpac-1.0.1+dfsg1/debian/patches/CVE-2021-40576_40606_40609.patch --- gpac-1.0.1+dfsg1/debian/patches/CVE-2021-40576_40606_40609.patch 1970-01-01 00:00:00.000000000 +0000 +++ gpac-1.0.1+dfsg1/debian/patches/CVE-2021-40576_40606_40609.patch 2023-05-23 08:07:38.000000000 +0000 @@ -0,0 +1,23 @@ +From ad18ece95fa064efc0995c4ab2c985f77fb166ec Mon Sep 17 00:00:00 2001 +From: jeanlf +Date: Wed, 1 Sep 2021 13:45:04 +0200 +Subject: [PATCH] fixed #1904 + +--- + src/isomedia/hint_track.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +Index: gpac-1.0.1+dfsg1/src/isomedia/hint_track.c +=================================================================== +--- gpac-1.0.1+dfsg1.orig/src/isomedia/hint_track.c ++++ gpac-1.0.1+dfsg1/src/isomedia/hint_track.c +@@ -43,6 +43,9 @@ Bool IsHintTrack(GF_TrackBox *trak) + u32 GetHintFormat(GF_TrackBox *trak) + { + GF_HintMediaHeaderBox *hmhd = (GF_HintMediaHeaderBox *)trak->Media->information->InfoHeader; ++ if (!hmhd || (hmhd->type != GF_ISOM_BOX_TYPE_HMHD)) ++ return 0; ++ + if (!hmhd || !hmhd->subType) { + GF_Box *a = (GF_Box *)gf_list_get(trak->Media->information->sampleTable->SampleDescription->child_boxes, 0); + if (!hmhd) return a ? a->type : 0; diff -Nru gpac-1.0.1+dfsg1/debian/patches/CVE-2021-40592.patch gpac-1.0.1+dfsg1/debian/patches/CVE-2021-40592.patch --- gpac-1.0.1+dfsg1/debian/patches/CVE-2021-40592.patch 1970-01-01 00:00:00.000000000 +0000 +++ gpac-1.0.1+dfsg1/debian/patches/CVE-2021-40592.patch 2023-05-18 06:34:39.000000000 +0000 @@ -0,0 +1,46 @@ +From 71460d72ec07df766dab0a4d52687529f3efcf0a Mon Sep 17 00:00:00 2001 +From: jeanlf +Date: Mon, 30 Aug 2021 14:27:49 +0200 +Subject: [PATCH] fixed #1876 + +--- + src/filters/isoffin_read.c | 7 +++++++ + src/filters/isoffin_read_ch.c | 4 ++++ + 2 files changed, 11 insertions(+) + +diff --git a/src/filters/isoffin_read.c b/src/filters/isoffin_read.c +index 899d3508a..1f0d3742b 100644 +--- a/src/filters/isoffin_read.c ++++ b/src/filters/isoffin_read.c +@@ -1453,6 +1453,13 @@ static GF_Err isoffin_process(GF_Filter *filter) + gf_filter_pid_set_eos(ch->pid); + } + break; ++ } else if (ch->last_state==GF_ISOM_INVALID_FILE) { ++ if (!ch->eos_sent) { ++ ch->eos_sent = GF_TRUE; ++ read->eos_signaled = GF_TRUE; ++ gf_filter_pid_set_eos(ch->pid); ++ } ++ return ch->last_state; + } else { + read->force_fetch = GF_TRUE; + break; +diff --git a/src/filters/isoffin_read_ch.c b/src/filters/isoffin_read_ch.c +index c9bde6387..90f5972eb 100644 +--- a/src/filters/isoffin_read_ch.c ++++ b/src/filters/isoffin_read_ch.c +@@ -479,6 +479,10 @@ void isor_reader_get_sample(ISOMChannel *ch) + if (!ch->has_edit_list && ch->sample_num) + ch->sample_num--; + } else { ++ if (ch->to_init && ch->sample_num) { ++ GF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, ("[IsoMedia] Failed to fetch initial sample %d for track %d\n")); ++ ch->last_state = GF_ISOM_INVALID_FILE; ++ } + if (ch->sample_num >= gf_isom_get_sample_count(ch->owner->mov, ch->track)) { + ch->last_state = GF_EOS; + } +-- +2.39.2 + diff -Nru gpac-1.0.1+dfsg1/debian/patches/CVE-2021-40607.patch gpac-1.0.1+dfsg1/debian/patches/CVE-2021-40607.patch --- gpac-1.0.1+dfsg1/debian/patches/CVE-2021-40607.patch 1970-01-01 00:00:00.000000000 +0000 +++ gpac-1.0.1+dfsg1/debian/patches/CVE-2021-40607.patch 2023-05-18 06:38:54.000000000 +0000 @@ -0,0 +1,28 @@ +From f19668964bf422cf5a63e4dbe1d3c6c75edadcbb Mon Sep 17 00:00:00 2001 +From: jeanlf +Date: Mon, 30 Aug 2021 14:34:37 +0200 +Subject: [PATCH] fixed #1879 + +--- + src/isomedia/box_code_drm.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/src/isomedia/box_code_drm.c b/src/isomedia/box_code_drm.c +index 3bedb3995..23c19c604 100644 +--- a/src/isomedia/box_code_drm.c ++++ b/src/isomedia/box_code_drm.c +@@ -145,9 +145,10 @@ GF_Err schm_box_read(GF_Box *s, GF_BitStream *bs) + + if (ptr->size && (ptr->flags & 0x000001)) { + u32 len = (u32) (ptr->size); +- ptr->URI = (char*)gf_malloc(sizeof(char)*len); ++ ptr->URI = (char*)gf_malloc(sizeof(char)*(len+1)); + if (!ptr->URI) return GF_OUT_OF_MEM; + gf_bs_read_data(bs, ptr->URI, len); ++ ptr->URI[len] = 0; + } + return GF_OK; + } +-- +2.39.2 + diff -Nru gpac-1.0.1+dfsg1/debian/patches/CVE-2021-40608.patch gpac-1.0.1+dfsg1/debian/patches/CVE-2021-40608.patch --- gpac-1.0.1+dfsg1/debian/patches/CVE-2021-40608.patch 1970-01-01 00:00:00.000000000 +0000 +++ gpac-1.0.1+dfsg1/debian/patches/CVE-2021-40608.patch 2023-05-18 06:40:18.000000000 +0000 @@ -0,0 +1,55 @@ +From b09c75dc2d4bf68ac447daa71e72365aa30231a9 Mon Sep 17 00:00:00 2001 +From: jeanlf +Date: Mon, 30 Aug 2021 14:43:17 +0200 +Subject: [PATCH] fixed #1883 + +--- + src/isomedia/tx3g.c | 4 ++-- + src/media_tools/isom_hinter.c | 7 ++++++- + 2 files changed, 8 insertions(+), 3 deletions(-) + +diff --git a/src/isomedia/tx3g.c b/src/isomedia/tx3g.c +index e63610785..7ff1a3353 100644 +--- a/src/isomedia/tx3g.c ++++ b/src/isomedia/tx3g.c +@@ -920,6 +920,8 @@ GF_Err gf_isom_text_get_encoded_tx3g(GF_ISOFile *file, u32 track, u32 sidx, u32 + GF_TrackBox *trak; + GF_Tx3gSampleEntryBox *a; + ++ *tx3g = NULL; ++ *tx3g_size = 0; + trak = gf_isom_get_track_from_file(file, track); + if (!trak) return GF_BAD_PARAM; + +@@ -929,8 +931,6 @@ GF_Err gf_isom_text_get_encoded_tx3g(GF_ISOFile *file, u32 track, u32 sidx, u32 + + bs = gf_bs_new(NULL, 0, GF_BITSTREAM_WRITE); + gf_isom_write_tx3g(a, bs, sidx, sidx_offset); +- *tx3g = NULL; +- *tx3g_size = 0; + gf_bs_get_content(bs, tx3g, tx3g_size); + gf_bs_del(bs); + return GF_OK; +diff --git a/src/media_tools/isom_hinter.c b/src/media_tools/isom_hinter.c +index a3a8205ca..eacef641f 100644 +--- a/src/media_tools/isom_hinter.c ++++ b/src/media_tools/isom_hinter.c +@@ -949,9 +949,14 @@ GF_Err gf_hinter_track_finalize(GF_RTPHinter *tkHint, Bool AddSystemInfo) + strcat(sdpLine, "; tx3g="); + for (i=0; ifile, tkHint->TrackNum); i++) { + u8 *tx3g; ++ GF_Err e; + char buffer[2000]; + u32 tx3g_len, len; +- gf_isom_text_get_encoded_tx3g(tkHint->file, tkHint->TrackNum, i+1, GF_RTP_TX3G_SIDX_OFFSET, &tx3g, &tx3g_len); ++ e = gf_isom_text_get_encoded_tx3g(tkHint->file, tkHint->TrackNum, i+1, GF_RTP_TX3G_SIDX_OFFSET, &tx3g, &tx3g_len); ++ if (e) { ++ if (i) continue; ++ return GF_ISOM_INVALID_FILE; ++ } + len = gf_base64_encode(tx3g, tx3g_len, buffer, 2000); + gf_free(tx3g); + buffer[len] = 0; +-- +2.39.2 + diff -Nru gpac-1.0.1+dfsg1/debian/patches/CVE-2021-40944.patch gpac-1.0.1+dfsg1/debian/patches/CVE-2021-40944.patch --- gpac-1.0.1+dfsg1/debian/patches/CVE-2021-40944.patch 1970-01-01 00:00:00.000000000 +0000 +++ gpac-1.0.1+dfsg1/debian/patches/CVE-2021-40944.patch 2023-05-23 08:07:38.000000000 +0000 @@ -0,0 +1,40 @@ +From 44fdc3d972c31c56efe73e1a3b63438d46087652 Mon Sep 17 00:00:00 2001 +From: jeanlf +Date: Wed, 1 Sep 2021 14:04:10 +0200 +Subject: [PATCH] fixed #1906 + +--- + src/filter_core/filter_session.c | 16 ++++++++++++++-- + 1 file changed, 14 insertions(+), 2 deletions(-) + +diff --git a/src/filter_core/filter_session.c b/src/filter_core/filter_session.c +index 2b138b30c..e69bb1bcf 100644 +--- a/src/filter_core/filter_session.c ++++ b/src/filter_core/filter_session.c +@@ -1176,9 +1176,21 @@ GF_Filter *gf_fs_load_filter(GF_FilterSession *fsess, const char *name, GF_Err * + filter = gf_filter_new(fsess, f_reg, args, NULL, argtype, err_code, NULL, GF_FALSE); + if (!filter) return NULL; + if (!filter->num_output_pids) { ++ //check we have a src specified for the filter + const char *src_url = strstr(name, "src"); +- if (src_url && (src_url[3]==fsess->sep_name)) +- gf_filter_post_process_task(filter); ++ if (src_url && (src_url[3]==fsess->sep_name)) { ++ const GF_FilterArgs *args = filter->instance_args ? filter->instance_args : f_reg->args; ++ //check the filter has an src argument ++ //we don't want to call process on a filter not acting as source until at least one input is connected ++ i=0; ++ while (args && args[i].arg_name) { ++ if (!strcmp(args[i].arg_name, "src")) { ++ gf_filter_post_process_task(filter); ++ break; ++ } ++ i++; ++ } ++ } + } + return filter; + } +-- +2.39.2 + diff -Nru gpac-1.0.1+dfsg1/debian/patches/CVE-2021-41456.patch gpac-1.0.1+dfsg1/debian/patches/CVE-2021-41456.patch --- gpac-1.0.1+dfsg1/debian/patches/CVE-2021-41456.patch 1970-01-01 00:00:00.000000000 +0000 +++ gpac-1.0.1+dfsg1/debian/patches/CVE-2021-41456.patch 2023-05-23 08:07:38.000000000 +0000 @@ -0,0 +1,36 @@ +From 74695dea7278e78af3db467e586233fe8773c07e Mon Sep 17 00:00:00 2001 +From: jeanlf +Date: Thu, 9 Sep 2021 14:36:47 +0200 +Subject: [PATCH] fixed #1910 #1911 + +--- + src/filters/dmx_nhml.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +diff --git a/src/filters/dmx_nhml.c b/src/filters/dmx_nhml.c +index 82cad5909..20f43f421 100644 +--- a/src/filters/dmx_nhml.c ++++ b/src/filters/dmx_nhml.c +@@ -999,10 +999,17 @@ static GF_Err nhmldmx_send_sample(GF_Filter *filter, GF_NHMLDmxCtx *ctx) + } else { + base_data = att->value; + } ++ } else if (!strnicmp(att->value, "gmem://", 7)) { ++ GF_LOG(GF_LOG_WARNING, GF_LOG_PARSER, ("[NHMLDmx] Invalid url %s for NHML import\n", att->value)); + } else { + char *url = gf_url_concatenate(ctx->src_url, att->value); +- strcpy(szMediaTemp, url ? url : att->value); +- if (url) gf_free(url); ++ if (!url) { ++ GF_LOG(GF_LOG_WARNING, GF_LOG_PARSER, ("[NHMLDmx] Failed to get full url for %s\n", att->value)); ++ } else { ++ strncpy(szMediaTemp, url, GF_MAX_PATH-1); ++ szMediaTemp[GF_MAX_PATH-1] = 0; ++ gf_free(url); ++ } + } + } + else if (!stricmp(att->name, "xmlFrom")) strcpy(szXmlFrom, att->value); +-- +2.39.2 + diff -Nru gpac-1.0.1+dfsg1/debian/patches/CVE-2021-41457.patch gpac-1.0.1+dfsg1/debian/patches/CVE-2021-41457.patch --- gpac-1.0.1+dfsg1/debian/patches/CVE-2021-41457.patch 1970-01-01 00:00:00.000000000 +0000 +++ gpac-1.0.1+dfsg1/debian/patches/CVE-2021-41457.patch 2023-05-23 08:07:38.000000000 +0000 @@ -0,0 +1,193 @@ +From ae2828284f2fc0381548aaa991958f1eb9b90619 Mon Sep 17 00:00:00 2001 +From: jeanlf +Date: Thu, 9 Sep 2021 14:57:35 +0200 +Subject: [PATCH] fixed #1909 + +--- + src/filters/dmx_nhml.c | 56 +++++++++++++++++++++++++----------------- + 1 file changed, 33 insertions(+), 23 deletions(-) + +Index: gpac-1.0.1+dfsg1/src/filters/dmx_nhml.c +=================================================================== +--- gpac-1.0.1+dfsg1.orig/src/filters/dmx_nhml.c ++++ gpac-1.0.1+dfsg1/src/filters/dmx_nhml.c +@@ -59,7 +59,7 @@ typedef struct + u32 sample_num; + + FILE *mdia; +- char szMedia[GF_MAX_PATH]; ++ char *media_file; + + GF_DOMParser *parser; + GF_XMLNode *root; +@@ -457,7 +457,7 @@ static GF_Err nhmldmx_init_parsing(GF_Fi + FILE *nhml; + const GF_PropertyValue *p; + char *auxiliary_mime_types = NULL; +- char *ext, szName[1000], szInfo[GF_MAX_PATH], szXmlFrom[1000], szXmlHeaderEnd[1000]; ++ char *ext, *init_name=NULL, szXmlFrom[1000], szXmlHeaderEnd[1000]; + u8 *specInfo; + char compressor_name[100]; + GF_XMLNode *node; +@@ -481,25 +481,26 @@ static GF_Err nhmldmx_init_parsing(GF_Fi + return GF_URL_ERROR; + } + +- szName[0] = 0; + if (!strncmp(ctx->src_url, "gfio://", 7)) { + char *base = gf_file_basename( gf_fileio_translate_url(ctx->src_url) ); +- if (base) strcpy(szName, base); ++ if (base) gf_dynstrcat(&init_name, base, NULL); + } else { +- strcpy(szName, ctx->src_url); ++ gf_dynstrcat(&init_name, ctx->src_url, NULL); + } +- ext = gf_file_ext_start(szName); ++ if (!init_name) return GF_OUT_OF_MEM; ++ ext = gf_file_ext_start(init_name); + if (ext) ext[0] = 0; +- strcpy(ctx->szMedia, szName); +- strcpy(szInfo, szName); +- strcat(ctx->szMedia, ".media"); +- strcat(szInfo, ".info"); ++ if (ctx->media_file) gf_free(ctx->media_file); ++ ctx->media_file = gf_strdup(init_name); ++ gf_dynstrcat(&ctx->media_file, ".media", NULL); ++ gf_dynstrcat(&init_name, ".info", NULL); + + ctx->parser = gf_xml_dom_new(); + e = gf_xml_dom_parse(ctx->parser, p->value.string, NULL, NULL); + if (e) { + gf_fclose(nhml); + GF_LOG(GF_LOG_ERROR, GF_LOG_PARSER, ("[NHMLDmx] Error parsing %s file: Line %d - %s", szImpName, gf_xml_dom_get_line(ctx->parser), gf_xml_dom_get_error(ctx->parser) )); ++ if (init_name) gf_free(init_name); + return GF_NON_COMPLIANT_BITSTREAM; + } + gf_fclose(nhml); +@@ -507,6 +508,7 @@ static GF_Err nhmldmx_init_parsing(GF_Fi + ctx->root = gf_xml_dom_get_root(ctx->parser); + if (!ctx->root) { + GF_LOG(GF_LOG_ERROR, GF_LOG_PARSER, ("[NHMLDmx] Error parsing %s file - no root node found", szImpName )); ++ if (init_name) gf_free(init_name); + return GF_NON_COMPLIANT_BITSTREAM; + } + +@@ -521,6 +523,7 @@ static GF_Err nhmldmx_init_parsing(GF_Fi + + if (stricmp(ctx->root->name, szRootName)) { + GF_LOG(GF_LOG_ERROR, GF_LOG_PARSER, ("[NHMLDmx] Error parsing %s file - \"%s\" root expected, got \"%s\"", szImpName, szRootName, ctx->root->name)); ++ if (init_name) gf_free(init_name); + return GF_NON_COMPLIANT_BITSTREAM; + } + +@@ -565,12 +568,12 @@ static GF_Err nhmldmx_init_parsing(GF_Fi + NHML_SCAN_INT("%u", nb_channels) + } else if (!stricmp(att->name, "baseMediaFile")) { + char *url = gf_url_concatenate(ctx->src_url, att->value); +- strcpy(ctx->szMedia, url ? url : att->value); +- if (url) gf_free(url); ++ if (ctx->media_file) gf_free(ctx->media_file); ++ ctx->media_file = url; + } else if (!stricmp(att->name, "specificInfoFile")) { + char *url = gf_url_concatenate(ctx->src_url, att->value); +- strcpy(szInfo, url ? url : att->value); +- if (url) gf_free(url); ++ if (init_name) gf_free(init_name); ++ init_name = url; + } else if (!stricmp(att->name, "headerEnd")) { + NHML_SCAN_INT("%u", ctx->header_end) + } else if (!stricmp(att->name, "trackID")) { +@@ -686,8 +689,8 @@ static GF_Err nhmldmx_init_parsing(GF_Fi + codecid = GF_CODECID_DIMS; + streamType = GF_STREAM_SCENE; + } +- if (gf_file_exists_ex(ctx->szMedia, ctx->src_url)) +- ctx->mdia = gf_fopen_ex(ctx->szMedia, ctx->src_url, "rb"); ++ if (gf_file_exists_ex(ctx->media_file, ctx->src_url)) ++ ctx->mdia = gf_fopen_ex(ctx->media_file, ctx->src_url, "rb"); + + specInfoSize = 0; + if (!streamType && !mtype && !codec_tag) { +@@ -696,13 +699,16 @@ static GF_Err nhmldmx_init_parsing(GF_Fi + } + + finfo = NULL; +- if (gf_file_exists_ex(szInfo, ctx->src_url)) +- finfo = gf_fopen_ex(szInfo, ctx->src_url, "rb"); ++ if (gf_file_exists_ex(init_name, ctx->src_url)) ++ finfo = gf_fopen_ex(init_name, ctx->src_url, "rb"); + + if (finfo) { + e = gf_file_load_data_filep(finfo, (u8 **)&specInfo, &specInfoSize); + gf_fclose(finfo); +- if (e) return e; ++ if (e) { ++ if (init_name) gf_free(init_name); ++ return e; ++ } + } else if (ctx->header_end) { + /* for text based streams, the decoder specific info can be at the beginning of the file */ + specInfoSize = ctx->header_end; +@@ -714,9 +720,10 @@ static GF_Err nhmldmx_init_parsing(GF_Fi + /* for XML based streams, the decoder specific info can be up to some element in the file */ + strcpy(szXmlFrom, "doc.start"); + ctx->samp_buffer_size = 0; +- e = nhml_sample_from_xml(ctx, ctx->szMedia, szXmlFrom, szXmlHeaderEnd); ++ e = nhml_sample_from_xml(ctx, ctx->media_file, szXmlFrom, szXmlHeaderEnd); + if (e) { + GF_LOG(GF_LOG_ERROR, GF_LOG_PARSER, ("[NHMLDmx] failed to load XML header: %s", gf_error_to_string(e) )); ++ if (init_name) gf_free(init_name); + return e; + } + +@@ -734,6 +741,7 @@ static GF_Err nhmldmx_init_parsing(GF_Fi + e = gf_xml_parse_bit_sequence(node, ctx->src_url, &specInfo, &specInfoSize); + if (e) { + if (specInfo) gf_free(specInfo); ++ if (init_name) gf_free(init_name); + return e; + } + break; +@@ -858,7 +866,7 @@ static GF_Err nhmldmx_init_parsing(GF_Fi + ctx->current_child_idx = 0; + ctx->last_dts = GF_FILTER_NO_TS; + +- gf_filter_pid_set_property(ctx->opid, GF_PROP_PID_FILEPATH, & PROP_STRING(ctx->szMedia)); ++ gf_filter_pid_set_property(ctx->opid, GF_PROP_PID_FILEPATH, & PROP_STRING(ctx->media_file)); + + if (ctx->mdia) { + media_size = gf_fsize(ctx->mdia); +@@ -914,6 +922,7 @@ static GF_Err nhmldmx_init_parsing(GF_Fi + ctx->is_img = GF_TRUE; + ctx->duration.num =ctx->duration.den; + } ++ if (init_name) gf_free(init_name); + + gf_filter_pid_set_property(ctx->opid, GF_PROP_PID_DURATION, & PROP_FRAC64(ctx->duration) ); + +@@ -1053,7 +1062,7 @@ static GF_Err nhmldmx_send_sample(GF_Fil + if (strlen(szXmlFrom) && strlen(szXmlTo)) { + char *xml_file; + if (strlen(szMediaTemp)) xml_file = szMediaTemp; +- else xml_file = ctx->szMedia; ++ else xml_file = ctx->media_file; + ctx->samp_buffer_size = 0; + e = nhml_sample_from_xml(ctx, xml_file, szXmlFrom, szXmlTo); + } else if (ctx->is_dims && !strlen(szMediaTemp)) { +@@ -1107,7 +1116,7 @@ static GF_Err nhmldmx_send_sample(GF_Fil + if (strlen(szMediaTemp)) { + f = gf_fopen(szMediaTemp, "rb"); + if (!f) { +- GF_LOG(GF_LOG_ERROR, GF_LOG_PARSER, ("[NHMLDmx] import failure in sample %d: file %s not found", ctx->sample_num, close ? szMediaTemp : ctx->szMedia)); ++ GF_LOG(GF_LOG_ERROR, GF_LOG_PARSER, ("[NHMLDmx] import failure in sample %d: file %s not found", ctx->sample_num, close ? szMediaTemp : ctx->media_file)); + return GF_NON_COMPLIANT_BITSTREAM; + } + close = GF_TRUE; +@@ -1374,6 +1383,7 @@ void nhmldmx_finalize(GF_Filter *filter) + if (ctx->bs_w) gf_bs_del(ctx->bs_w); + if (ctx->samp_buffer) gf_free(ctx->samp_buffer); + if (ctx->zlib_buffer) gf_free(ctx->zlib_buffer); ++ if (ctx->media_file) gf_free(ctx->media_file); + } + + diff -Nru gpac-1.0.1+dfsg1/debian/patches/CVE-2021-41459.patch gpac-1.0.1+dfsg1/debian/patches/CVE-2021-41459.patch --- gpac-1.0.1+dfsg1/debian/patches/CVE-2021-41459.patch 1970-01-01 00:00:00.000000000 +0000 +++ gpac-1.0.1+dfsg1/debian/patches/CVE-2021-41459.patch 2023-05-23 08:07:38.000000000 +0000 @@ -0,0 +1,33 @@ +From 7d4538e104f2b3ff6a65a41394795654e6972339 Mon Sep 17 00:00:00 2001 +From: jeanlf +Date: Thu, 9 Sep 2021 15:04:12 +0200 +Subject: [PATCH] fixed #1912 + +--- + src/filters/dmx_nhml.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/src/filters/dmx_nhml.c b/src/filters/dmx_nhml.c +index c35cbcc49..8ca7beed0 100644 +--- a/src/filters/dmx_nhml.c ++++ b/src/filters/dmx_nhml.c +@@ -1021,8 +1021,14 @@ static GF_Err nhmldmx_send_sample(GF_Filter *filter, GF_NHMLDmxCtx *ctx) + } + } + } +- else if (!stricmp(att->name, "xmlFrom")) strcpy(szXmlFrom, att->value); +- else if (!stricmp(att->name, "xmlTo")) strcpy(szXmlTo, att->value); ++ else if (!stricmp(att->name, "xmlFrom")) { ++ strncpy(szXmlFrom, att->value, 999); ++ szXmlFrom[999]=0; ++ } ++ else if (!stricmp(att->name, "xmlTo")) { ++ strncpy(szXmlTo, att->value, 999); ++ szXmlTo[999]=0; ++ } + /*DIMS flags*/ + else if (!stricmp(att->name, "is-Scene") && !stricmp(att->value, "yes")) + dims_flags |= GF_DIMS_UNIT_S; +-- +2.39.2 + diff -Nru gpac-1.0.1+dfsg1/debian/patches/CVE-2021-45262.patch gpac-1.0.1+dfsg1/debian/patches/CVE-2021-45262.patch --- gpac-1.0.1+dfsg1/debian/patches/CVE-2021-45262.patch 1970-01-01 00:00:00.000000000 +0000 +++ gpac-1.0.1+dfsg1/debian/patches/CVE-2021-45262.patch 2023-05-23 08:07:38.000000000 +0000 @@ -0,0 +1,67 @@ +From ef86a8eba3b166b885dec219066dd3a47501e03a Mon Sep 17 00:00:00 2001 +From: jeanlf +Date: Mon, 13 Dec 2021 14:21:50 +0100 +Subject: [PATCH] fixed #1980 + +--- + include/gpac/svg_types.h | 3 +++ + src/laser/lsr_dec.c | 1 + + src/scenegraph/svg_types.c | 2 ++ + src/scenegraph/vrml_tools.c | 2 +- + 4 files changed, 7 insertions(+), 1 deletion(-) + +diff --git a/include/gpac/svg_types.h b/include/gpac/svg_types.h +index fa48485ec..a32a21fbb 100644 +--- a/include/gpac/svg_types.h ++++ b/include/gpac/svg_types.h +@@ -177,6 +177,9 @@ enum { + LASeR_Size_datatype, + + SVG_Matrix2D_datatype, ++ ++ /*internal type for node list*/ ++ SVG_NodeList_datatype + }; + + //! @cond Doxygen_Suppress +diff --git a/src/laser/lsr_dec.c b/src/laser/lsr_dec.c +index 6b9ad05b6..bb8305623 100644 +--- a/src/laser/lsr_dec.c ++++ b/src/laser/lsr_dec.c +@@ -5250,6 +5250,7 @@ static GF_Err lsr_read_add_replace_insert(GF_LASeRCodec *lsr, GF_List *com_list, + gf_node_register(field->new_node, NULL); + if (att_type>=0) field->fieldIndex = gf_lsr_anim_type_to_attribute(att_type); + } else { ++ field->fieldType = SVG_NodeList_datatype; + field->field_ptr = &field->node_list; + while (count) { + GF_Node *new_node = lsr_read_update_content_model(lsr, (SVG_Element *) n); +diff --git a/src/scenegraph/svg_types.c b/src/scenegraph/svg_types.c +index 667c9ab16..827f51d0f 100644 +--- a/src/scenegraph/svg_types.c ++++ b/src/scenegraph/svg_types.c +@@ -491,6 +491,8 @@ void gf_svg_delete_attribute_value(u32 type, void *value, GF_SceneGraph *sg) + if (*(SVG_String *)value) gf_free(*(SVG_String *)value); + gf_free(value); + break; ++ case SVG_NodeList_datatype: ++ break; + case SMIL_RepeatCount_datatype: + case SMIL_Duration_datatype: + case SVG_Length_datatype: +diff --git a/src/scenegraph/vrml_tools.c b/src/scenegraph/vrml_tools.c +index 0166cd890..6fd08b669 100644 +--- a/src/scenegraph/vrml_tools.c ++++ b/src/scenegraph/vrml_tools.c +@@ -1129,7 +1129,7 @@ GF_Err gf_sg_vrml_mf_reset(void *mf, u32 FieldType) + gf_sg_mfurl_del( * ((MFURL *) mf)); + break; + case GF_SG_VRML_MFSCRIPT: +- gf_sg_mfscript_del( * ((MFScript *) mf)); ++ gf_sg_mfscript_del( * ((MFScript *) mf)); + break; + default: + if (mffield->array) gf_free(mffield->array); +-- +2.39.2 + diff -Nru gpac-1.0.1+dfsg1/debian/patches/CVE-2021-45263.patch gpac-1.0.1+dfsg1/debian/patches/CVE-2021-45263.patch --- gpac-1.0.1+dfsg1/debian/patches/CVE-2021-45263.patch 1970-01-01 00:00:00.000000000 +0000 +++ gpac-1.0.1+dfsg1/debian/patches/CVE-2021-45263.patch 2023-05-23 08:07:38.000000000 +0000 @@ -0,0 +1,25 @@ +From b232648da3b111a0efe500501ee8ca8f32b616e9 Mon Sep 17 00:00:00 2001 +From: jeanlf +Date: Mon, 13 Dec 2021 13:18:49 +0100 +Subject: [PATCH] fixed #1975 + +--- + src/laser/lsr_dec.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/laser/lsr_dec.c b/src/laser/lsr_dec.c +index 35ff1c7c6..21b066e13 100644 +--- a/src/laser/lsr_dec.c ++++ b/src/laser/lsr_dec.c +@@ -2511,7 +2511,7 @@ static void lsr_read_anim_values_ex(GF_LASeRCodec *lsr, GF_Node *n, u32 *tr_type + + GF_LSR_READ_INT(lsr, coded_type, 4, "type"); + values->type = coded_type; +- values->laser_strings = 1; ++ values->laser_strings = 0; + + count = lsr_read_vluimsbf5(lsr, "count"); + for (i=0; i +Date: Mon, 13 Dec 2021 11:21:26 +0100 +Subject: [PATCH] fixed #1965 + +--- + src/scene_manager/loader_svg.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/src/scene_manager/loader_svg.c b/src/scene_manager/loader_svg.c +index 650ac2327..314dbb41f 100644 +--- a/src/scene_manager/loader_svg.c ++++ b/src/scene_manager/loader_svg.c +@@ -1426,6 +1426,10 @@ static void svg_node_start(void *sax_cbck, const char *name, const char *name_sp + Bool rap; + time = 0; + rap = GF_FALSE; ++ if (!parser->laser_es) { ++ svg_report(parser, GF_BAD_PARAM, "No LASER stream specified"); ++ return; ++ } + if (!gf_list_count(parser->laser_es->AUs)) rap = GF_TRUE; + for (i=0; i +Date: Fri, 10 Dec 2021 09:10:49 +0100 +Subject: [PATCH] fixed #1955 + +--- + src/scene_manager/scene_dump.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/scene_manager/scene_dump.c b/src/scene_manager/scene_dump.c +index 0e9f377a8..ee7ef075d 100644 +--- a/src/scene_manager/scene_dump.c ++++ b/src/scene_manager/scene_dump.c +@@ -240,6 +240,7 @@ static void gf_dump_setup(GF_SceneDumper *sdump, GF_Descriptor *root_od) + for (i=0; iESDescriptors, i); ++ if (!esd || !esd->decoderConfig) continue; + if (esd->decoderConfig->streamType != GF_STREAM_SCENE) continue; + if (esd->decoderConfig->objectTypeIndication != 0x09) continue; + if (!esd->decoderConfig->decoderSpecificInfo || !esd->decoderConfig->decoderSpecificInfo->data) continue; +-- +2.39.2 + diff -Nru gpac-1.0.1+dfsg1/debian/patches/CVE-2021-45292.patch gpac-1.0.1+dfsg1/debian/patches/CVE-2021-45292.patch --- gpac-1.0.1+dfsg1/debian/patches/CVE-2021-45292.patch 1970-01-01 00:00:00.000000000 +0000 +++ gpac-1.0.1+dfsg1/debian/patches/CVE-2021-45292.patch 2023-05-23 08:07:38.000000000 +0000 @@ -0,0 +1,37 @@ +From 3dafcb5e71e9ffebb50238784dcad8b105da81f6 Mon Sep 17 00:00:00 2001 +From: jeanlf +Date: Fri, 10 Dec 2021 10:02:48 +0100 +Subject: [PATCH] fixed #1958 + +--- + src/isomedia/box_funcs.c | 1 + + src/isomedia/hinting.c | 1 + + 2 files changed, 2 insertions(+) + +diff --git a/src/isomedia/box_funcs.c b/src/isomedia/box_funcs.c +index 3701351d2..cbe4c5c29 100644 +--- a/src/isomedia/box_funcs.c ++++ b/src/isomedia/box_funcs.c +@@ -133,6 +133,7 @@ GF_Err gf_isom_box_parse_ex(GF_Box **outBox, GF_BitStream *bs, u32 parent_type, + } else { + if (!skip_logs) { + GF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, ("[iso file] Read Box type %s (0x%08X) at position "LLU" has size 0 but is not at root/file level, skipping\n", gf_4cc_to_str(type), type, start)); ++ return GF_EOS; + } + return GF_OK; + } +diff --git a/src/isomedia/hinting.c b/src/isomedia/hinting.c +index 5ce1a8b8a..5b6989b11 100644 +--- a/src/isomedia/hinting.c ++++ b/src/isomedia/hinting.c +@@ -678,6 +678,7 @@ GF_Err gf_isom_hint_rtp_read(GF_RTPPacket *ptr, GF_BitStream *bs) + while (tempSize < TLVsize) { + e = gf_isom_box_parse(&a, bs); + if (e) return e; ++ if (!a) continue; + gf_list_add(ptr->TLV, a); + tempSize += (u32) a->size; + } +-- +2.39.2 + diff -Nru gpac-1.0.1+dfsg1/debian/patches/CVE-2021-45297.patch gpac-1.0.1+dfsg1/debian/patches/CVE-2021-45297.patch --- gpac-1.0.1+dfsg1/debian/patches/CVE-2021-45297.patch 1970-01-01 00:00:00.000000000 +0000 +++ gpac-1.0.1+dfsg1/debian/patches/CVE-2021-45297.patch 2023-05-23 08:07:38.000000000 +0000 @@ -0,0 +1,26 @@ +From fb13af36286b9d898e332e8762a286eb83bd1770 Mon Sep 17 00:00:00 2001 +From: jeanlf +Date: Tue, 14 Dec 2021 11:34:46 +0100 +Subject: [PATCH] fixed #1973 + +--- + src/utils/math.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/src/utils/math.c b/src/utils/math.c +index 10fc2dcf7..4d16ce5f6 100644 +--- a/src/utils/math.c ++++ b/src/utils/math.c +@@ -35,7 +35,8 @@ GF_EXPORT + u32 gf_get_bit_size(u32 MaxVal) + { + u32 k=0; +- while ((s32) MaxVal > ((1< (((u32)1< +Date: Mon, 13 Dec 2021 11:23:01 +0100 +Subject: [PATCH] fixed #1966 + +--- + src/scene_manager/scene_dump.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/src/scene_manager/scene_dump.c b/src/scene_manager/scene_dump.c +index d5fce6cc0..436878dd7 100644 +--- a/src/scene_manager/scene_dump.c ++++ b/src/scene_manager/scene_dump.c +@@ -3223,7 +3223,9 @@ static void dump_od_to_saf(GF_SceneDumper *dumper, GF_AUContext *au, u32 indent) + + + gf_fprintf(dumper->trace, "ESID); +- gf_fprintf(dumper->trace, " streamType=\"%d\" objectTypeIndication=\"%d\" timeStampResolution=\"%d\"", esd->decoderConfig->streamType, esd->decoderConfig->objectTypeIndication, au->owner->timeScale); ++ if (esd->decoderConfig) { ++ gf_fprintf(dumper->trace, " streamType=\"%d\" objectTypeIndication=\"%d\" timeStampResolution=\"%d\"", esd->decoderConfig->streamType, esd->decoderConfig->objectTypeIndication, au->owner->timeScale); ++ } + if (au->timing) gf_fprintf(dumper->trace, " time=\""LLD"\"", au->timing); + if (mux && mux->file_name) gf_fprintf(dumper->trace, " source=\"%s\"", mux->file_name); + gf_fprintf(dumper->trace, "/>\n"); +-- +2.39.2 + diff -Nru gpac-1.0.1+dfsg1/debian/patches/CVE-2021-45762.patch gpac-1.0.1+dfsg1/debian/patches/CVE-2021-45762.patch --- gpac-1.0.1+dfsg1/debian/patches/CVE-2021-45762.patch 1970-01-01 00:00:00.000000000 +0000 +++ gpac-1.0.1+dfsg1/debian/patches/CVE-2021-45762.patch 2023-05-23 08:07:38.000000000 +0000 @@ -0,0 +1,64 @@ +From 6d647f6e458c9b727eae1a8077d27fa433ced788 Mon Sep 17 00:00:00 2001 +From: jeanlf +Date: Mon, 13 Dec 2021 13:31:01 +0100 +Subject: [PATCH] fixed #1978 + +--- + src/bifs/com_dec.c | 3 ++- + src/bifs/field_decode.c | 5 +++-- + src/scenegraph/vrml_tools.c | 2 +- + 3 files changed, 6 insertions(+), 4 deletions(-) + +diff --git a/src/bifs/com_dec.c b/src/bifs/com_dec.c +index 87c6e7b20..b99ea4e17 100644 +--- a/src/bifs/com_dec.c ++++ b/src/bifs/com_dec.c +@@ -812,7 +812,8 @@ static GF_Err BD_DecFieldReplace(GF_BifsDecoder * codec, GF_BitStream *bs) + } + /*regular field*/ + else if (!gf_sg_vrml_is_sf_field(field.fieldType)) { +- gf_sg_vrml_mf_reset(field.far_ptr, field.fieldType); ++ e = gf_sg_vrml_mf_reset(field.far_ptr, field.fieldType); ++ if (e) return e; + } + + /*parse the field*/ +diff --git a/src/bifs/field_decode.c b/src/bifs/field_decode.c +index a97212ab2..b5cd6e827 100644 +--- a/src/bifs/field_decode.c ++++ b/src/bifs/field_decode.c +@@ -506,7 +506,8 @@ GF_Err gf_bifs_dec_field(GF_BifsDecoder * codec, GF_BitStream *bs, GF_Node *node + * (GF_ChildNodeItem **)field->far_ptr = NULL; + } else { + //remove all items of the MFField +- gf_sg_vrml_mf_reset(field->far_ptr, field->fieldType); ++ e = gf_sg_vrml_mf_reset(field->far_ptr, field->fieldType); ++ if (e) return e; + } + } + +@@ -538,7 +539,7 @@ GF_Err gf_bifs_dec_field(GF_BifsDecoder * codec, GF_BitStream *bs, GF_Node *node + } else { + e = BD_DecMFFieldVec(codec, bs, node, field, is_mem_com); + } +- if (e) return e; ++ if (e) return codec->LastError = e; + } + } + return GF_OK; +diff --git a/src/scenegraph/vrml_tools.c b/src/scenegraph/vrml_tools.c +index c3c85daab..0166cd890 100644 +--- a/src/scenegraph/vrml_tools.c ++++ b/src/scenegraph/vrml_tools.c +@@ -1115,7 +1115,7 @@ GF_EXPORT + GF_Err gf_sg_vrml_mf_reset(void *mf, u32 FieldType) + { + GenMFField *mffield = (GenMFField *)mf; +- if (!mffield->array) return GF_OK; ++ if (!mffield || !mffield->array) return GF_OK; + + //field we can't copy + if (gf_sg_vrml_is_sf_field(FieldType)) return GF_BAD_PARAM; +-- +2.39.2 + diff -Nru gpac-1.0.1+dfsg1/debian/patches/CVE-2021-45763.patch gpac-1.0.1+dfsg1/debian/patches/CVE-2021-45763.patch --- gpac-1.0.1+dfsg1/debian/patches/CVE-2021-45763.patch 1970-01-01 00:00:00.000000000 +0000 +++ gpac-1.0.1+dfsg1/debian/patches/CVE-2021-45763.patch 2023-05-23 08:07:38.000000000 +0000 @@ -0,0 +1,111 @@ +From d2f74e49f2cb8d687c0dc38f66b99e3c5c7d7fec Mon Sep 17 00:00:00 2001 +From: jeanlf +Date: Mon, 13 Dec 2021 13:04:59 +0100 +Subject: [PATCH] fixed #1974 + +--- + src/bifs/com_dec.c | 13 +++---------- + src/bifs/field_decode.c | 33 ++++++++++++++++++++------------- + 2 files changed, 23 insertions(+), 23 deletions(-) + +diff --git a/src/bifs/com_dec.c b/src/bifs/com_dec.c +index 113152efc..87c6e7b20 100644 +--- a/src/bifs/com_dec.c ++++ b/src/bifs/com_dec.c +@@ -789,7 +789,7 @@ static GF_Err BD_DecFieldReplace(GF_BifsDecoder * codec, GF_BitStream *bs) + { + GF_Err e; + u32 NodeID, ind, field_ind, NumBits; +- GF_Node *node, *prev_node; ++ GF_Node *node; + GF_ChildNodeItem *prev_child; + GF_FieldInfo field; + +@@ -804,14 +804,9 @@ static GF_Err BD_DecFieldReplace(GF_BifsDecoder * codec, GF_BitStream *bs) + e = gf_node_get_field(node, field_ind, &field); + if (e) return e; + +- prev_node = NULL; + prev_child = NULL; +- /*store prev SF node*/ +- if (field.fieldType == GF_SG_VRML_SFNODE) { +- prev_node = *((GF_Node **) field.far_ptr); +- } + /*store prev MFNode content*/ +- else if (field.fieldType == GF_SG_VRML_MFNODE) { ++ if (field.fieldType == GF_SG_VRML_MFNODE) { + prev_child = * ((GF_ChildNodeItem **) field.far_ptr); + * ((GF_ChildNodeItem **) field.far_ptr) = NULL; + } +@@ -825,9 +820,7 @@ static GF_Err BD_DecFieldReplace(GF_BifsDecoder * codec, GF_BitStream *bs) + e = gf_bifs_dec_field(codec, bs, node, &field, GF_FALSE); + codec->is_com_dec = GF_FALSE; + /*remove prev nodes*/ +- if (field.fieldType == GF_SG_VRML_SFNODE) { +- if (prev_node) e = gf_node_unregister(prev_node, node); +- } else if (field.fieldType == GF_SG_VRML_MFNODE) { ++ if (field.fieldType == GF_SG_VRML_MFNODE) { + gf_node_unregister_children(node, prev_child); + } + if (!e) gf_bifs_check_field_change(node, &field); +diff --git a/src/bifs/field_decode.c b/src/bifs/field_decode.c +index 7dc9a64cd..a97212ab2 100644 +--- a/src/bifs/field_decode.c ++++ b/src/bifs/field_decode.c +@@ -238,6 +238,14 @@ GF_Err gf_bifs_dec_sf_field(GF_BifsDecoder * codec, GF_BitStream *bs, GF_Node *n + } + break; + case GF_SG_VRML_SFNODE: ++ //if not memory dec mode, unregister previous node ++ //otherwise the field points to the memory command internal field ++ if (!is_mem_com) { ++ if ( *((GF_Node **) field->far_ptr) != NULL) { ++ gf_node_unregister(*((GF_Node **) field->far_ptr), node); ++ *((GF_Node **) field->far_ptr) = NULL; ++ } ++ } + //for nodes the field ptr is a ptr to the field, which is a node ptr ;) + new_node = gf_bifs_dec_node(codec, bs, field->NDTtype); + if (new_node) { +@@ -870,19 +878,6 @@ GF_Node *gf_bifs_dec_node(GF_BifsDecoder * codec, GF_BitStream *bs, u32 NDT_Tag) + return NULL; + } + +- /*VRML: "The transformation hierarchy shall be a directed acyclic graph; results are undefined if a node +- in the transformation hierarchy is its own ancestor" +- that's good, because the scene graph can't handle cyclic graphs (destroy will never be called). +- We therefore only register the node once parsed*/ +- if (nodeID) { +- if (strlen(name)) { +- gf_node_set_id(new_node, nodeID, name); +- } else { +- gf_node_set_id(new_node, nodeID, NULL); +- } +- } +- +- + /*update default time fields except in proto parsing*/ + if (!codec->pCurrentProto) UpdateTimeNode(codec, new_node); + /*nodes are only init outside protos, nodes internal to protos are never intialized */ +@@ -917,6 +912,18 @@ GF_Node *gf_bifs_dec_node(GF_BifsDecoder * codec, GF_BitStream *bs, u32 NDT_Tag) + return NULL; + } + ++ /*VRML: "The transformation hierarchy shall be a directed acyclic graph; results are undefined if a node ++ in the transformation hierarchy is its own ancestor" ++ that's good, because the scene graph can't handle cyclic graphs (destroy will never be called). ++ We therefore only register the node once parsed*/ ++ if (nodeID) { ++ if (strlen(name)) { ++ gf_node_set_id(new_node, nodeID, name); ++ } else { ++ gf_node_set_id(new_node, nodeID, NULL); ++ } ++ } ++ + if (!skip_init) + gf_node_init(new_node); + +-- +2.39.2 + diff -Nru gpac-1.0.1+dfsg1/debian/patches/CVE-2021-45764.patch gpac-1.0.1+dfsg1/debian/patches/CVE-2021-45764.patch --- gpac-1.0.1+dfsg1/debian/patches/CVE-2021-45764.patch 1970-01-01 00:00:00.000000000 +0000 +++ gpac-1.0.1+dfsg1/debian/patches/CVE-2021-45764.patch 2023-05-23 08:07:38.000000000 +0000 @@ -0,0 +1,24 @@ +Origin: https://github.com/gpac/gpac/commit/e54df17892bee983d09d9437e44e6a1528fb46cb +Reviewed-by: Aron Xu + +From e54df17892bee983d09d9437e44e6a1528fb46cb Mon Sep 17 00:00:00 2001 +From: jeanlf +Date: Mon, 13 Dec 2021 11:42:13 +0100 +Subject: [PATCH] fixed #1971 + +--- + src/isomedia/isom_store.c | 2 ++ + 1 file changed, 2 insertions(+) + +Index: gpac-1.0.1+dfsg1/src/isomedia/isom_store.c +=================================================================== +--- gpac-1.0.1+dfsg1.orig/src/isomedia/isom_store.c ++++ gpac-1.0.1+dfsg1/src/isomedia/isom_store.c +@@ -253,6 +253,7 @@ static GF_Err ShiftOffset(GF_ISOFile *fi + + i=0; + while ((writer = (TrackWriter *)gf_list_enum(writers, &i))) { ++ if (!writer->stsc || !writer->stco) return GF_ISOM_INVALID_FILE; + if (writer->mdia->mediaTrack->meta) ShiftMetaOffset(writer->mdia->mediaTrack->meta, offset); + + //we have to proceed entry by entry in case a part of the media is not self-contained... diff -Nru gpac-1.0.1+dfsg1/debian/patches/CVE-2021-45767.patch gpac-1.0.1+dfsg1/debian/patches/CVE-2021-45767.patch --- gpac-1.0.1+dfsg1/debian/patches/CVE-2021-45767.patch 1970-01-01 00:00:00.000000000 +0000 +++ gpac-1.0.1+dfsg1/debian/patches/CVE-2021-45767.patch 2023-05-23 08:07:38.000000000 +0000 @@ -0,0 +1,25 @@ +From 830548acd030467e857f4cf0b79af8ebf1e04dde Mon Sep 17 00:00:00 2001 +From: jeanlf +Date: Tue, 14 Dec 2021 10:00:33 +0100 +Subject: [PATCH] fixed #1982 + +--- + src/laser/lsr_dec.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/src/laser/lsr_dec.c b/src/laser/lsr_dec.c +index bb8305623..c771f1ca1 100644 +--- a/src/laser/lsr_dec.c ++++ b/src/laser/lsr_dec.c +@@ -675,6 +675,8 @@ static void lsr_read_paint(GF_LASeRCodec *lsr, SVG_Paint *paint, const char *nam + iri.type = 0xFF; + lsr_read_any_uri(lsr, &iri, name); + gf_node_unregister_iri(lsr->sg, &iri); ++ gf_list_del_item(lsr->deferred_hrefs, &iri); ++ + paint->type = SVG_PAINT_URI; + if (iri.string) { + paint->type = SVG_PAINT_URI; +-- +2.39.2 + diff -Nru gpac-1.0.1+dfsg1/debian/patches/CVE-2021-45831.patch gpac-1.0.1+dfsg1/debian/patches/CVE-2021-45831.patch --- gpac-1.0.1+dfsg1/debian/patches/CVE-2021-45831.patch 1970-01-01 00:00:00.000000000 +0000 +++ gpac-1.0.1+dfsg1/debian/patches/CVE-2021-45831.patch 2023-05-23 08:07:38.000000000 +0000 @@ -0,0 +1,34 @@ +From 4613a35362e15a6df90453bd632d083645e5a765 Mon Sep 17 00:00:00 2001 +From: jeanlf +Date: Wed, 15 Dec 2021 09:49:28 +0100 +Subject: [PATCH] fixed #1990 + +--- + src/scenegraph/svg_attributes.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/scenegraph/svg_attributes.c b/src/scenegraph/svg_attributes.c +index 4cee6f7ab..64145b9e8 100644 +--- a/src/scenegraph/svg_attributes.c ++++ b/src/scenegraph/svg_attributes.c +@@ -4580,7 +4580,7 @@ char *gf_svg_dump_attribute(GF_Node *elt, GF_FieldInfo *info) + case SVG_FontFamily_datatype: + { + SVG_FontFamily *f = (SVG_FontFamily *)info->far_ptr; +- return gf_strdup( (f->type==SVG_FONTFAMILY_INHERIT) ? "inherit" : (const char *) f->value); ++ return gf_strdup( (!f->value || (f->type==SVG_FONTFAMILY_INHERIT)) ? "inherit" : (const char *) f->value); + } + + case SVG_PreserveAspectRatio_datatype: +@@ -4924,7 +4924,7 @@ char *gf_svg_dump_attribute_indexed(GF_Node *elt, GF_FieldInfo *info) + case SVG_PointerEvents_datatype: + break; + case XMLRI_List_datatype: +- return gf_strdup( (char *) info->far_ptr); ++ return gf_strdup(info->far_ptr ? (char *) info->far_ptr : ""); + + case SVG_Points_datatype: + { +-- +2.39.2 + diff -Nru gpac-1.0.1+dfsg1/debian/patches/CVE-2021-46038to46046_46049_46051.patch gpac-1.0.1+dfsg1/debian/patches/CVE-2021-46038to46046_46049_46051.patch --- gpac-1.0.1+dfsg1/debian/patches/CVE-2021-46038to46046_46049_46051.patch 1970-01-01 00:00:00.000000000 +0000 +++ gpac-1.0.1+dfsg1/debian/patches/CVE-2021-46038to46046_46049_46051.patch 2023-05-23 08:10:20.000000000 +0000 @@ -0,0 +1,34 @@ +Origin: https://github.com/gpac/gpac/commit/f5a778edd1febd574ff9558d2faa57133bdb4a5f +Reviewed-by: Aron Xu + +From f5a778edd1febd574ff9558d2faa57133bdb4a5f Mon Sep 17 00:00:00 2001 +From: jeanlf +Date: Mon, 3 Jan 2022 11:12:21 +0100 +Subject: [PATCH] fixed #1999 + +--- + src/isomedia/isom_store.c | 4 ++++ + 1 file changed, 4 insertions(+) + +Index: gpac-1.0.1+dfsg1/src/isomedia/isom_store.c +=================================================================== +--- gpac-1.0.1+dfsg1.orig/src/isomedia/isom_store.c ++++ gpac-1.0.1+dfsg1/src/isomedia/isom_store.c +@@ -270,6 +270,8 @@ static GF_Err ShiftOffset(GF_ISOFile *fi + //be carefull for the last entry, nextChunk is set to 0 in edit mode... + last = ent->nextChunk ? ent->nextChunk : stco->nb_entries + 1; + for (k = ent->firstChunk; k < last; k++) { ++ if (stco->nb_entries < k) ++ return GF_ISOM_INVALID_FILE; + + //we need to rewrite the table: only allocate co64 if not done previously and convert all offsets + //to co64. Then (whether co64 was created or not) adjust the offset +@@ -303,6 +305,8 @@ static GF_Err ShiftOffset(GF_ISOFile *fi + //be carefull for the last entry ... + last = ent->nextChunk ? ent->nextChunk : stco64->nb_entries + 1; + for (k = ent->firstChunk; k < last; k++) { ++ if (stco64->nb_entries < k) ++ return GF_ISOM_INVALID_FILE; + stco64->offsets[k-1] += offset; + } + } diff -Nru gpac-1.0.1+dfsg1/debian/patches/CVE-2021-46047.patch gpac-1.0.1+dfsg1/debian/patches/CVE-2021-46047.patch --- gpac-1.0.1+dfsg1/debian/patches/CVE-2021-46047.patch 1970-01-01 00:00:00.000000000 +0000 +++ gpac-1.0.1+dfsg1/debian/patches/CVE-2021-46047.patch 2023-05-23 08:10:20.000000000 +0000 @@ -0,0 +1,33 @@ +From dd2e8b1b9378a9679de8e7e5dcb2d7841acd5dbd Mon Sep 17 00:00:00 2001 +From: jeanlf +Date: Mon, 3 Jan 2022 11:24:15 +0100 +Subject: [PATCH] fixed #2008 + +--- + src/media_tools/isom_hinter.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/src/media_tools/isom_hinter.c b/src/media_tools/isom_hinter.c +index d35e887ec..083f6713a 100644 +--- a/src/media_tools/isom_hinter.c ++++ b/src/media_tools/isom_hinter.c +@@ -1288,10 +1288,13 @@ GF_Err gf_hinter_finalize(GF_ISOFile *file, GF_SDP_IODProfile IOD_Profile, u32 b + } + gf_isom_sample_del(&samp); + } +- if (remove_ocr) esd->OCRESID = 0; +- else if (esd->OCRESID == esd->ESID) esd->OCRESID = 0; + +- gf_list_add(iod->ESDescriptors, esd); ++ if (esd) { ++ if (remove_ocr) esd->OCRESID = 0; ++ else if (esd->OCRESID == esd->ESID) esd->OCRESID = 0; ++ ++ gf_list_add(iod->ESDescriptors, esd); ++ } + + if (is_ok) { + u32 has_a, has_v, has_i_a, has_i_v; +-- +2.39.2 + diff -Nru gpac-1.0.1+dfsg1/debian/patches/CVE-2022-1035.patch gpac-1.0.1+dfsg1/debian/patches/CVE-2022-1035.patch --- gpac-1.0.1+dfsg1/debian/patches/CVE-2022-1035.patch 1970-01-01 00:00:00.000000000 +0000 +++ gpac-1.0.1+dfsg1/debian/patches/CVE-2022-1035.patch 2023-05-23 08:12:28.000000000 +0000 @@ -0,0 +1,26 @@ +From 3718d583c6ade191dc7979c64f48c001ca6f0243 Mon Sep 17 00:00:00 2001 +From: jeanlf +Date: Thu, 17 Mar 2022 12:00:55 +0100 +Subject: [PATCH] fixed #2146 + +--- + src/scene_manager/scene_dump.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/src/scene_manager/scene_dump.c b/src/scene_manager/scene_dump.c +index 3104d23c3..6fe250f52 100644 +--- a/src/scene_manager/scene_dump.c ++++ b/src/scene_manager/scene_dump.c +@@ -755,8 +755,7 @@ static void gf_dump_vrml_simple_field(GF_SceneDumper *sdump, GF_FieldInfo field, + + switch (field.fieldType) { + case GF_SG_VRML_SFNODE: +- assert ( *(GF_Node **)field.far_ptr); +- gf_dump_vrml_node(sdump, *(GF_Node **)field.far_ptr, 0, NULL); ++ gf_dump_vrml_node(sdump, field.far_ptr ? *(GF_Node **)field.far_ptr : NULL, 0, NULL); + return; + case GF_SG_VRML_MFNODE: + list = * ((GF_ChildNodeItem **) field.far_ptr); +-- +2.39.2 + diff -Nru gpac-1.0.1+dfsg1/debian/patches/CVE-2022-1222.patch gpac-1.0.1+dfsg1/debian/patches/CVE-2022-1222.patch --- gpac-1.0.1+dfsg1/debian/patches/CVE-2022-1222.patch 1970-01-01 00:00:00.000000000 +0000 +++ gpac-1.0.1+dfsg1/debian/patches/CVE-2022-1222.patch 2023-05-23 08:12:28.000000000 +0000 @@ -0,0 +1,46 @@ +From 7f060bbb72966cae80d6fee338d0b07fa3fc06e1 Mon Sep 17 00:00:00 2001 +From: jeanlf +Date: Thu, 31 Mar 2022 13:57:05 +0200 +Subject: [PATCH] fixed #2159 + +--- + src/media_tools/avilib.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/src/media_tools/avilib.c b/src/media_tools/avilib.c +index 71e751d19..14febb365 100644 +--- a/src/media_tools/avilib.c ++++ b/src/media_tools/avilib.c +@@ -1884,8 +1884,8 @@ avi_t *AVI_open_fd(FILE *fd, int getIndex) + + int avi_parse_input_file(avi_t *AVI, int getIndex) + { +- int i, rate, scale, idx_type; +- s64 n; ++ int rate, scale, idx_type; ++ s64 n, i; + unsigned char *hdrl_data; + u64 header_offset=0; + int hdrl_len=0; +@@ -1939,6 +1939,7 @@ int avi_parse_input_file(avi_t *AVI, int getIndex) + n -= 4; + if(strnicmp(data,"hdrl",4) == 0) + { ++ if (n>0xFFFFFFFF) ERR_EXIT(AVI_ERR_READ) + hdrl_len = (u32) n; + hdrl_data = (unsigned char *) gf_malloc((u32)n); + if(hdrl_data==0) ERR_EXIT(AVI_ERR_NO_MEM); +@@ -2091,8 +2092,10 @@ int avi_parse_input_file(avi_t *AVI, int getIndex) + AVI->compressor2[4] = 0; + + if (n>40) { ++ if (n>0xFFFFFFFF) ERR_EXIT(AVI_ERR_READ) + AVI->extradata_size = (u32) (n - 40); + AVI->extradata = gf_malloc(sizeof(u8)* AVI->extradata_size); ++ if (!AVI->extradata) ERR_EXIT(AVI_ERR_NO_MEM) + memcpy(AVI->extradata, hdrl_data + i + 40, AVI->extradata_size); + } + +-- +2.39.2 + diff -Nru gpac-1.0.1+dfsg1/debian/patches/CVE-2022-1441.patch gpac-1.0.1+dfsg1/debian/patches/CVE-2022-1441.patch --- gpac-1.0.1+dfsg1/debian/patches/CVE-2022-1441.patch 1970-01-01 00:00:00.000000000 +0000 +++ gpac-1.0.1+dfsg1/debian/patches/CVE-2022-1441.patch 2023-05-23 08:12:28.000000000 +0000 @@ -0,0 +1,41 @@ +From 3dbe11b37d65c8472faf0654410068e5500b3adb Mon Sep 17 00:00:00 2001 +From: jeanlf +Date: Tue, 19 Apr 2022 09:15:58 +0200 +Subject: [PATCH] fixed #2175 + +--- + src/isomedia/box_code_3gpp.c | 16 ++++------------ + 1 file changed, 4 insertions(+), 12 deletions(-) + +diff --git a/src/isomedia/box_code_3gpp.c b/src/isomedia/box_code_3gpp.c +index 3f9ff0569..928a5575f 100644 +--- a/src/isomedia/box_code_3gpp.c ++++ b/src/isomedia/box_code_3gpp.c +@@ -1128,20 +1128,12 @@ void diST_box_del(GF_Box *s) + + GF_Err diST_box_read(GF_Box *s, GF_BitStream *bs) + { +- u32 i; +- char str[1024]; + GF_DIMSScriptTypesBox *p = (GF_DIMSScriptTypesBox *)s; + +- i=0; +- str[0]=0; +- while (1) { +- str[i] = gf_bs_read_u8(bs); +- if (!str[i]) break; +- i++; +- } +- ISOM_DECREASE_SIZE(p, i); +- +- p->content_script_types = gf_strdup(str); ++ p->content_script_types = gf_malloc(sizeof(char) * (s->size+1)); ++ if (!p->content_script_types) return GF_OUT_OF_MEM; ++ gf_bs_read_data(bs, p->content_script_types, s->size); ++ p->content_script_types[s->size] = 0; + return GF_OK; + } + +-- +2.39.2 + diff -Nru gpac-1.0.1+dfsg1/debian/patches/CVE-2022-1795.patch gpac-1.0.1+dfsg1/debian/patches/CVE-2022-1795.patch --- gpac-1.0.1+dfsg1/debian/patches/CVE-2022-1795.patch 1970-01-01 00:00:00.000000000 +0000 +++ gpac-1.0.1+dfsg1/debian/patches/CVE-2022-1795.patch 2023-05-23 08:12:28.000000000 +0000 @@ -0,0 +1,40 @@ +From c535bad50d5812d27ee5b22b54371bddec411514 Mon Sep 17 00:00:00 2001 +From: jeanlf +Date: Wed, 18 May 2022 11:49:49 +0200 +Subject: [PATCH] fixed #2194 + +--- + src/bifs/memory_decoder.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/src/bifs/memory_decoder.c b/src/bifs/memory_decoder.c +index 74d635750..1fc8c9963 100644 +--- a/src/bifs/memory_decoder.c ++++ b/src/bifs/memory_decoder.c +@@ -178,7 +178,12 @@ static GF_Err BM_ParseGlobalQuantizer(GF_BifsDecoder *codec, GF_BitStream *bs, G + codec->scenegraph->global_qp = NULL; + + if (gf_node_get_tag(node) != TAG_MPEG4_QuantizationParameter) { +- gf_node_unregister(node, NULL); ++ //if node was just created (num_instances == 0), unregister ++ //otherwise (USE node) don't do anything ++ if (!node->sgprivate->num_instances) { ++ node->sgprivate->num_instances = 1; ++ gf_node_unregister(node, NULL); ++ } + return GF_NON_COMPLIANT_BITSTREAM; + } + +@@ -188,7 +193,8 @@ static GF_Err BM_ParseGlobalQuantizer(GF_BifsDecoder *codec, GF_BitStream *bs, G + codec->scenegraph->global_qp = node; + + /*register TWICE: once for the command, and for the scenegraph globalQP*/ +- node->sgprivate->num_instances = 2; ++ gf_node_unregister(node, NULL); ++ gf_node_unregister(node, NULL); + + com = gf_sg_command_new(codec->current_graph, GF_SG_GLOBAL_QUANTIZER); + inf = gf_sg_command_field_new(com); +-- +2.39.2 + diff -Nru gpac-1.0.1+dfsg1/debian/patches/CVE-2022-2454.patch gpac-1.0.1+dfsg1/debian/patches/CVE-2022-2454.patch --- gpac-1.0.1+dfsg1/debian/patches/CVE-2022-2454.patch 1970-01-01 00:00:00.000000000 +0000 +++ gpac-1.0.1+dfsg1/debian/patches/CVE-2022-2454.patch 2023-05-23 08:12:28.000000000 +0000 @@ -0,0 +1,25 @@ +From faa75edde3dfeba1e2cf6ffa48e45a50f1042096 Mon Sep 17 00:00:00 2001 +From: jeanlf +Date: Tue, 12 Jul 2022 18:00:35 +0200 +Subject: [PATCH] fixed #2213 + +--- + src/laser/lsr_dec.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/src/laser/lsr_dec.c b/src/laser/lsr_dec.c +index 99d16aaa7..488babb10 100644 +--- a/src/laser/lsr_dec.c ++++ b/src/laser/lsr_dec.c +@@ -838,6 +838,8 @@ static void lsr_read_id(GF_LASeRCodec *lsr, GF_Node *n) + + static Fixed lsr_translate_coords(GF_LASeRCodec *lsr, u32 val, u32 nb_bits) + { ++ if (!nb_bits) return 0; ++ + #ifdef GPAC_FIXED_POINT + if (val >> (nb_bits-1) ) { + s32 neg = (s32) val - (1< + + +From 9f8510835b97a729baf3646a3171bf51b4a8592e Mon Sep 17 00:00:00 2001 +From: jeanlf +Date: Wed, 19 Jan 2022 12:12:43 +0100 +Subject: [PATCH] fixed #2055 + +--- + src/filters/isoffin_read_ch.c | 10 +++++++--- + src/media_tools/media_export.c | 5 +++++ + src/scene_manager/scene_dump.c | 22 +++++++++++++--------- + 3 files changed, 24 insertions(+), 11 deletions(-) + +Index: gpac-1.0.1+dfsg1/src/filters/isoffin_read_ch.c +=================================================================== +--- gpac-1.0.1+dfsg1.orig/src/filters/isoffin_read_ch.c ++++ gpac-1.0.1+dfsg1/src/filters/isoffin_read_ch.c +@@ -365,10 +365,10 @@ void isor_reader_get_sample(ISOMChannel + ch->sample_num--; + } else { + if (ch->to_init && ch->sample_num) { +- GF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, ("[IsoMedia] Failed to fetch initial sample %d for track %d\n")); ++ GF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, ("[IsoMedia] Failed to fetch initial sample %d for track %d\n", ch->sample_num, ch->track)); + ch->last_state = GF_ISOM_INVALID_FILE; +- } +- if (ch->sample_num >= gf_isom_get_sample_count(ch->owner->mov, ch->track)) { ++ } else { ++ GF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, ("[IsoMedia] File truncated, aborting read for track %d\n", ch->track)); + ch->last_state = GF_EOS; + } + } +@@ -391,6 +391,9 @@ void isor_reader_get_sample(ISOMChannel + } + } else { + GF_LOG(GF_LOG_DEBUG, GF_LOG_DASH, ("[IsoMedia] Track #%d fail to fetch sample %d / %d: %s\n", ch->track, ch->sample_num, gf_isom_get_sample_count(ch->owner->mov, ch->track), gf_error_to_string(gf_isom_last_error(ch->owner->mov)) )); ++ if ((elast_state = GF_EOS; ++ } + } + return; + } +Index: gpac-1.0.1+dfsg1/src/media_tools/media_export.c +=================================================================== +--- gpac-1.0.1+dfsg1.orig/src/media_tools/media_export.c ++++ gpac-1.0.1+dfsg1/src/media_tools/media_export.c +@@ -1038,6 +1038,11 @@ GF_Err gf_media_export_saf(GF_MediaExpor + GF_ISOSample *samp; + if (safs[i].last_sample==safs[i].nb_samp) continue; + samp = gf_isom_get_sample(dumper->file, safs[i].track_num, safs[i].last_sample + 1, &di); ++ if (!samp) { ++ gf_saf_mux_del(mux); ++ return gf_isom_last_error(dumper->file); ++ } ++ + gf_saf_mux_add_au(mux, safs[i].stream_id, (u32) (samp->DTS+samp->CTS_Offset), samp->data, samp->dataLength, (samp->IsRAP==RAP) ? 1 : 0); + /*data is kept by muxer!!*/ + gf_free(samp); +Index: gpac-1.0.1+dfsg1/src/scene_manager/scene_dump.c +=================================================================== +--- gpac-1.0.1+dfsg1.orig/src/scene_manager/scene_dump.c ++++ gpac-1.0.1+dfsg1/src/scene_manager/scene_dump.c +@@ -937,10 +937,12 @@ static void gf_dump_vrml_field(GF_SceneD + } + + if (!sdump->XMLDump) gf_fprintf(sdump->trace, "["); +- for (i=0; icount; i++) { +- if (i) gf_fprintf(sdump->trace, " "); +- gf_sg_vrml_mf_get_item(field.far_ptr, field.fieldType, &slot_ptr, i); +- gf_dump_vrml_sffield(sdump, sf_type, slot_ptr, 1, node); ++ if (mffield) { ++ for (i=0; icount; i++) { ++ if (i) gf_fprintf(sdump->trace, " "); ++ gf_sg_vrml_mf_get_item(field.far_ptr, field.fieldType, &slot_ptr, i); ++ gf_dump_vrml_sffield(sdump, sf_type, slot_ptr, 1, node); ++ } + } + if (!sdump->XMLDump) gf_fprintf(sdump->trace, "]"); + +@@ -1258,11 +1260,13 @@ static void gf_dump_vrml_proto_field(GF_ + } else { + gf_fprintf(sdump->trace, " %s=\"", GetXMTFieldTypeValueName(field.fieldType)); + } +- for (i=0; icount; i++) { +- if (i) gf_fprintf(sdump->trace, " "); +- if (field.fieldType != GF_SG_VRML_MFNODE) { +- gf_sg_vrml_mf_get_item(field.far_ptr, field.fieldType, &slot_ptr, i); +- gf_dump_vrml_sffield(sdump, sf_type, slot_ptr, (mffield->count>1) ? 1 : 0, node); ++ if (mffield) { ++ for (i=0; icount; i++) { ++ if (i) gf_fprintf(sdump->trace, " "); ++ if (field.fieldType != GF_SG_VRML_MFNODE) { ++ gf_sg_vrml_mf_get_item(field.far_ptr, field.fieldType, &slot_ptr, i); ++ gf_dump_vrml_sffield(sdump, sf_type, slot_ptr, (mffield->count>1) ? 1 : 0, node); ++ } + } + } + gf_fprintf(sdump->trace, "\"/>\n"); diff -Nru gpac-1.0.1+dfsg1/debian/patches/CVE-2022-24577.patch gpac-1.0.1+dfsg1/debian/patches/CVE-2022-24577.patch --- gpac-1.0.1+dfsg1/debian/patches/CVE-2022-24577.patch 1970-01-01 00:00:00.000000000 +0000 +++ gpac-1.0.1+dfsg1/debian/patches/CVE-2022-24577.patch 2023-05-23 08:52:29.000000000 +0000 @@ -0,0 +1,89 @@ +From 586e817dcd531bb3e75438390f1f753cfe6e940a Mon Sep 17 00:00:00 2001 +From: jeanlf +Date: Mon, 17 Jan 2022 10:40:43 +0100 +Subject: [PATCH] fixed #2046 + +--- + src/isomedia/box_code_base.c | 38 +++++++++++++++++++++++++++++++++++- + src/isomedia/isom_write.c | 2 +- + 2 files changed, 38 insertions(+), 2 deletions(-) + +diff --git a/src/isomedia/box_code_base.c b/src/isomedia/box_code_base.c +index c52c3a0c8..eb6e7571b 100644 +--- a/src/isomedia/box_code_base.c ++++ b/src/isomedia/box_code_base.c +@@ -2835,7 +2835,17 @@ GF_Err iods_box_read(GF_Box *s, GF_BitStream *bs) + e = gf_odf_desc_read(desc, descSize, &ptr->descriptor); + //OK, free our desc + gf_free(desc); +- return e; ++ ++ if (e) return e; ++ switch (ptr->descriptor->tag) { ++ case GF_ODF_ISOM_OD_TAG: ++ case GF_ODF_ISOM_IOD_TAG: ++ break; ++ default: ++ GF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, ("[iso file] Invalid descriptor in iods, tag %u found but only %u or %u allowed\n", ptr->descriptor->tag, GF_ODF_ISOM_IOD_TAG, GF_ODF_ISOM_OD_TAG )); ++ return GF_ISOM_INVALID_FILE; ++ } ++ return GF_OK; + } + + GF_Box *iods_box_new() +@@ -5080,6 +5090,32 @@ GF_Err stbl_box_read(GF_Box *s, GF_BitStream *bs) + if (!ptr->TimeToSample->nb_entries || !ptr->SampleToChunk->nb_entries) + return GF_ISOM_INVALID_FILE; + } ++ u32 i, max_chunks=0; ++ if (ptr->ChunkOffset->type == GF_ISOM_BOX_TYPE_STCO) { ++ max_chunks = ((GF_ChunkOffsetBox *)ptr->ChunkOffset)->nb_entries; ++ } ++ else if (ptr->ChunkOffset->type == GF_ISOM_BOX_TYPE_CO64) { ++ max_chunks = ((GF_ChunkOffsetBox *)ptr->ChunkOffset)->nb_entries; ++ } ++ ++ //sanity check on stsc vs chunk offset tables ++ for (i=0; iSampleToChunk->nb_entries; i++) { ++ GF_StscEntry *ent = &ptr->SampleToChunk->entries[i]; ++ if (!i && (ent->firstChunk!=1)) { ++ GF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, ("[iso file] first_chunk of first entry shall be 1 but is %u\n", ent->firstChunk)); ++ return GF_ISOM_INVALID_FILE; ++ } ++ if (ptr->SampleToChunk->entries[i].firstChunk > max_chunks) { ++ GF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, ("[iso file] first_chunk is %u but number of chunks defined %u\n", ptr->SampleToChunk->entries[i].firstChunk, max_chunks)); ++ return GF_ISOM_INVALID_FILE; ++ } ++ if (i+1 == ptr->SampleToChunk->nb_entries) break; ++ GF_StscEntry *next_ent = &ptr->SampleToChunk->entries[i+1]; ++ if (next_ent->firstChunk < ent->firstChunk) { ++ GF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, ("[iso file] first_chunk (%u) for entry %u is greater than first_chunk (%u) for entry %u\n", i+1, ent->firstChunk, i+2, next_ent->firstChunk)); ++ return GF_ISOM_INVALID_FILE; ++ } ++ } + return GF_OK; + } + +diff --git a/src/isomedia/isom_write.c b/src/isomedia/isom_write.c +index 69f9c9ebc..832526841 100644 +--- a/src/isomedia/isom_write.c ++++ b/src/isomedia/isom_write.c +@@ -2822,6 +2822,7 @@ GF_Err gf_isom_remove_track(GF_ISOFile *movie, u32 trackNumber) + i=0; + while ((trak = (GF_TrackBox *)gf_list_enum(movie->moov->trackList, &i))) { + if (trak->Media->handler->handlerType != GF_ISOM_MEDIA_OD) continue; ++ + //this is an OD track... + j = gf_isom_get_sample_count(movie, i); + for (k=0; k < j; k++) { +@@ -2845,7 +2846,6 @@ GF_Err gf_isom_remove_track(GF_ISOFile *movie, u32 trackNumber) + //note that we don't touch scal references, as we don't want to rewrite AVC/HEVC samples ... + i=0; + while ((trak = (GF_TrackBox *)gf_list_enum(movie->moov->trackList, &i))) { +- if (trak == the_trak) continue; + if (! trak->References || ! gf_list_count(trak->References->child_boxes)) continue; + + j=0; +-- +2.39.2 + diff -Nru gpac-1.0.1+dfsg1/debian/patches/CVE-2022-24578.patch gpac-1.0.1+dfsg1/debian/patches/CVE-2022-24578.patch --- gpac-1.0.1+dfsg1/debian/patches/CVE-2022-24578.patch 1970-01-01 00:00:00.000000000 +0000 +++ gpac-1.0.1+dfsg1/debian/patches/CVE-2022-24578.patch 2023-05-23 08:52:29.000000000 +0000 @@ -0,0 +1,32 @@ +From b5741da08e88e8dcc8da0a7669b92405b9862850 Mon Sep 17 00:00:00 2001 +From: Aurelien David +Date: Mon, 17 Jan 2022 15:35:59 +0100 +Subject: [PATCH] fix overflow on script_dec (#2052) + +--- + src/bifs/script_dec.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/bifs/script_dec.c b/src/bifs/script_dec.c +index 36265cf0f..c4cb67c19 100644 +--- a/src/bifs/script_dec.c ++++ b/src/bifs/script_dec.c +@@ -72,13 +72,13 @@ static void SFS_AddString(ScriptParser *parser, char *str) + char *new_str; + if (!str) return; + if (strlen(parser->string) + strlen(str) >= parser->length) { +- parser->length += PARSER_STEP_ALLOC; ++ parser->length = strlen(parser->string) + strlen(str) + PARSER_STEP_ALLOC; + new_str = (char *)gf_malloc(sizeof(char)*parser->length); + strcpy(new_str, parser->string); + gf_free(parser->string); + parser->string = new_str; + } +- strcat(parser->string, str); ++ strncat(parser->string, str, parser->length - strlen(parser->string) - 1); + } + + static void SFS_AddInt(ScriptParser *parser, s32 val) +-- +2.39.2 + diff -Nru gpac-1.0.1+dfsg1/debian/patches/CVE-2022-26967_partial.patch gpac-1.0.1+dfsg1/debian/patches/CVE-2022-26967_partial.patch --- gpac-1.0.1+dfsg1/debian/patches/CVE-2022-26967_partial.patch 1970-01-01 00:00:00.000000000 +0000 +++ gpac-1.0.1+dfsg1/debian/patches/CVE-2022-26967_partial.patch 2023-05-23 08:52:29.000000000 +0000 @@ -0,0 +1,244 @@ +From ea1eca00fd92fa17f0e25ac25652622924a9a6a0 Mon Sep 17 00:00:00 2001 +From: jeanlf +Date: Thu, 10 Mar 2022 15:43:11 +0100 +Subject: [PATCH] fixed #2138 + +--- + include/gpac/base_coding.h | 4 ++-- + src/filters/dasher.c | 4 ++-- + src/filters/write_generic.c | 5 +++-- + src/filters/write_nhml.c | 4 ++-- + src/isomedia/box_dump.c | 4 ++-- + src/jsmods/core.c | 7 ++++--- + src/media_tools/crypt_tools.c | 2 +- + src/media_tools/media_export.c | 12 +++++------- + src/scene_manager/loader_svg.c | 8 ++++---- + src/scene_manager/scene_dump.c | 6 +++--- + src/scene_manager/scene_engine.c | 5 +++-- + src/utils/base_encoding.c | 6 +++--- + src/utils/xml_parser.c | 5 +++-- + 13 files changed, 37 insertions(+), 35 deletions(-) + +Index: gpac-1.0.1+dfsg1/include/gpac/base_coding.h +=================================================================== +--- gpac-1.0.1+dfsg1.orig/include/gpac/base_coding.h ++++ gpac-1.0.1+dfsg1/include/gpac/base_coding.h +@@ -56,7 +56,7 @@ Encodes a data buffer to Base64 + \param in_buffer_size input data buffer size + \param out_buffer output Base64 buffer location + \param out_buffer_size output Base64 buffer allocated size +-\return size of the encoded Base64 buffer ++\return size of the encoded Base64 buffer, 0 if error + \note the encoded data buffer is not NULL-terminated. + */ + u32 gf_base64_encode(const u8 *in_buffer, u32 in_buffer_size, u8 *out_buffer, u32 out_buffer_size); +@@ -80,7 +80,7 @@ Encodes a data buffer to Base16 + \param in_buffer_size input data buffer size + \param out_buffer output Base16 buffer location + \param out_buffer_size output Base16 buffer allocated size +-\return size of the encoded Base16 buffer ++\return size of the encoded Base16 buffer, 0 if error + \note the encoded data buffer is not NULL-terminated. + */ + u32 gf_base16_encode(u8 *in_buffer, u32 in_buffer_size, u8 *out_buffer, u32 out_buffer_size); +Index: gpac-1.0.1+dfsg1/src/filters/dasher.c +=================================================================== +--- gpac-1.0.1+dfsg1.orig/src/filters/dasher.c ++++ gpac-1.0.1+dfsg1/src/filters/dasher.c +@@ -1627,8 +1627,8 @@ static GF_List *dasher_get_content_prote + pnode->type = GF_XML_TEXT_TYPE; + gf_list_add(node->content, pnode); + +- size_64 = 2*pssh_len; +- pnode->name = gf_malloc(size_64); ++ size_64 = 2*pssh_len + 3; ++ pnode->name = gf_malloc(sizeof(char) * size_64); + if (pnode->name) { + size_64 = gf_base64_encode((const char *)pssh_data, pssh_len, (char *)pnode->name, size_64); + pnode->name[size_64] = 0; +Index: gpac-1.0.1+dfsg1/src/filters/write_nhml.c +=================================================================== +--- gpac-1.0.1+dfsg1.orig/src/filters/write_nhml.c ++++ gpac-1.0.1+dfsg1/src/filters/write_nhml.c +@@ -760,8 +760,8 @@ static void nhmldump_send_frame(GF_NHMLD + gf_bs_write_data(ctx->bs_w, nhml, (u32) strlen(nhml)); + } else { + u32 d_size; +- if (ctx->b64_buffer_size<2*s_size) { +- ctx->b64_buffer_size = 2 * s_size; ++ if (ctx->b64_buffer_size < 2*s_size + 3) { ++ ctx->b64_buffer_size = 2 * s_size + 3; + ctx->b64_buffer = gf_realloc(ctx->b64_buffer, ctx->b64_buffer_size); + } + d_size = gf_base64_encode(data + offset_in_sample, s_size, ctx->b64_buffer, ctx->b64_buffer_size); +Index: gpac-1.0.1+dfsg1/src/isomedia/box_dump.c +=================================================================== +--- gpac-1.0.1+dfsg1.orig/src/isomedia/box_dump.c ++++ gpac-1.0.1+dfsg1/src/isomedia/box_dump.c +@@ -5089,8 +5089,8 @@ GF_Err colr_box_dump(GF_Box *a, FILE * t + gf_fprintf(trace, "colour_type=\"%s\">\n", gf_4cc_to_str(ptr->colour_type)); + if (ptr->opaque != NULL) { + gf_fprintf(trace, "opaque_size; +- prof_data_64 = gf_malloc(size_64); ++ size_64 = 2*ptr->opaque_size+3; ++ prof_data_64 = gf_malloc(sizeof(char) * size_64); + size_64 = gf_base64_encode((const char *) ptr->opaque, ptr->opaque_size, (char *)prof_data_64, size_64); + prof_data_64[size_64] = 0; + gf_fprintf(trace, "%s", prof_data_64); +Index: gpac-1.0.1+dfsg1/src/jsmods/core.c +=================================================================== +--- gpac-1.0.1+dfsg1.orig/src/jsmods/core.c ++++ gpac-1.0.1+dfsg1/src/jsmods/core.c +@@ -1361,14 +1361,15 @@ static JSValue js_sys_basecode_ex(JSCont + size_t data_size; + data = JS_GetArrayBuffer(ctx, &data_size, argv[0] ); + if (!data) return JS_EXCEPTION; +- out_ptr = gf_malloc(sizeof(u8) * (1 + data_size * 2) ); ++ u32 size64 = (u32) data_size * 2 + 3; ++ out_ptr = gf_malloc(sizeof(char) * size64); + if (!out_ptr) { + e = GF_OUT_OF_MEM; + } else if (is_16) { +- out_size = gf_base16_encode((u8*) data, (u32) data_size, out_ptr, 1 + (u32) data_size * 2); ++ out_size = gf_base16_encode((u8*) data, (u32) data_size, out_ptr, size64); + e = out_size ? GF_OK : GF_NON_COMPLIANT_BITSTREAM; + } else { +- out_size = gf_base64_encode((u8*) data, (u32) data_size, out_ptr, 1 + (u32) data_size * 2); ++ out_size = gf_base64_encode((u8*) data, (u32) data_size, out_ptr, size64); + e = out_size ? GF_OK : GF_NON_COMPLIANT_BITSTREAM; + } + } +Index: gpac-1.0.1+dfsg1/src/media_tools/crypt_tools.c +=================================================================== +--- gpac-1.0.1+dfsg1.orig/src/media_tools/crypt_tools.c ++++ gpac-1.0.1+dfsg1/src/media_tools/crypt_tools.c +@@ -240,7 +240,7 @@ static void cryptinfo_node_start(void *s + } + } + else if (!stricmp(att->name, "metadata")) { +- u32 l = 2 * (u32) strlen(att->value); ++ u32 l = 2 * (u32) strlen(att->value) + 3; + tkc->metadata = gf_malloc(sizeof(char) * l); + l = gf_base64_encode(att->value, (u32) strlen(att->value), tkc->metadata, l); + tkc->metadata[l] = 0; +Index: gpac-1.0.1+dfsg1/src/media_tools/media_export.c +=================================================================== +--- gpac-1.0.1+dfsg1.orig/src/media_tools/media_export.c ++++ gpac-1.0.1+dfsg1/src/media_tools/media_export.c +@@ -800,14 +800,12 @@ GF_Err gf_media_export_webvtt_metadata(G + samp->data[samp->dataLength] = 0; + gf_fprintf(vtt, "%s\n", samp->data); + } else { +- u32 b64_size; ++ u32 b64_size = samp->dataLength*2 + 3; + char *b64; +- b64 = (char *)gf_malloc(samp->dataLength*3); +- b64_size = gf_base64_encode(samp->data, samp->dataLength, b64, samp->dataLength*3); +- if (b64_size != (u32)-1) { +- b64[b64_size] = 0; +- gf_fprintf(vtt, "%s\n", b64); +- } ++ b64 = (char *)gf_malloc(sizeof(char)*b64_size); ++ b64_size = gf_base64_encode(samp->data, samp->dataLength, b64, b64_size); ++ b64[b64_size] = 0; ++ gf_fprintf(vtt, "%s\n", b64); + gf_free(b64); + } + } +Index: gpac-1.0.1+dfsg1/src/scene_manager/loader_svg.c +=================================================================== +--- gpac-1.0.1+dfsg1.orig/src/scene_manager/loader_svg.c ++++ gpac-1.0.1+dfsg1/src/scene_manager/loader_svg.c +@@ -2,7 +2,7 @@ + * GPAC - Multimedia Framework C SDK + * + * Authors: Jean Le Feuvre, Cyril Concolato +- * Copyright (c) Telecom ParisTech 2000-2012 ++ * Copyright (c) Telecom ParisTech 2000-2022 + * All rights reserved + * + * This file is part of GPAC / Scene Management sub-project +@@ -259,10 +259,10 @@ static void svg_process_media_href(GF_SV + } else { + char *mtype; + char *buf64; +- u64 size64; ++ u32 size64 = size*2 + 3; + char *ext; +- buf64 = (char *)gf_malloc((size_t)size*2); +- size64 = gf_base64_encode(buffer, (u32)size, buf64, (u32)size*2); ++ buf64 = (char *)gf_malloc(sizeof(char) * size64); ++ size64 = gf_base64_encode(buffer, (u32)size, buf64, size64); + buf64[size64] = 0; + mtype = "application/data"; + ext = strchr(iri->string, '.'); +Index: gpac-1.0.1+dfsg1/src/scene_manager/scene_dump.c +=================================================================== +--- gpac-1.0.1+dfsg1.orig/src/scene_manager/scene_dump.c ++++ gpac-1.0.1+dfsg1/src/scene_manager/scene_dump.c +@@ -2,7 +2,7 @@ + * GPAC - Multimedia Framework C SDK + * + * Authors: Jean Le Feuvre +- * Copyright (c) Telecom ParisTech 2000-2012 ++ * Copyright (c) Telecom ParisTech 2000-2022 + * All rights reserved + * + * This file is part of GPAC / Scene Management sub-project +@@ -649,8 +649,8 @@ static void gf_dump_vrml_sffield(GF_Scen + str = ((SFString *)ptr)->buffer; + + if (node && (gf_node_get_tag(node)==TAG_MPEG4_BitWrapper)) { +- u32 bufsize = 50+ ((M_BitWrapper*)node)->buffer_len * 2; +- str = gf_malloc(sizeof(char)* bufsize); ++ u32 bufsize = 37 + ((M_BitWrapper*)node)->buffer_len * 2 + 3; ++ str = gf_malloc(sizeof(char) * bufsize); + if (str) { + s32 res; + strcpy(str, "data:application/octet-string;base64,"); +Index: gpac-1.0.1+dfsg1/src/scene_manager/scene_engine.c +=================================================================== +--- gpac-1.0.1+dfsg1.orig/src/scene_manager/scene_engine.c ++++ gpac-1.0.1+dfsg1/src/scene_manager/scene_engine.c +@@ -1105,8 +1105,9 @@ char *gf_seng_get_base64_iod(GF_SceneEng + + size = 0; + gf_odf_desc_write((GF_Descriptor *) seng->ctx->root_od, &buffer, &size); +- buf64 = gf_malloc(size*2); +- size64 = gf_base64_encode( buffer, size, buf64, size*2); ++ size64 = size*2 + 3; ++ buf64 = gf_malloc(sizeof(char) * size64); ++ size64 = gf_base64_encode( buffer, size, buf64, size64); + buf64[size64] = 0; + gf_free(buffer); + return buf64; +Index: gpac-1.0.1+dfsg1/src/utils/base_encoding.c +=================================================================== +--- gpac-1.0.1+dfsg1.orig/src/utils/base_encoding.c ++++ gpac-1.0.1+dfsg1/src/utils/base_encoding.c +@@ -42,6 +42,8 @@ u32 gf_base64_encode(const u8 *_in, u32 + + while (i < inSize) { + padding = 3 - (inSize - i); ++ if (j+4>=outSize) ++ return 0; + if (padding == 2) { + out[j] = base_64[in[i]>>2]; + out[j+1] = base_64[(in[i] & 0x03) << 4]; +@@ -147,14 +149,12 @@ u32 gf_base16_encode(u8 *_in, u32 inSize + unsigned char *in = (unsigned char *)_in; + unsigned char *out = (unsigned char *)_out; + +- if (outSize < (inSize * 2)+1) return 0; ++ if (outSize < (inSize * 2)) return 0; + + for (i=0; i> 4)]; + out[2*i+1] = base_16[(in[i] & 0x0f)]; + } +- out[(inSize * 2)] = 0; +- + return inSize * 2; + } + diff -Nru gpac-1.0.1+dfsg1/debian/patches/CVE-2022-27145.patch gpac-1.0.1+dfsg1/debian/patches/CVE-2022-27145.patch --- gpac-1.0.1+dfsg1/debian/patches/CVE-2022-27145.patch 1970-01-01 00:00:00.000000000 +0000 +++ gpac-1.0.1+dfsg1/debian/patches/CVE-2022-27145.patch 2023-05-23 09:28:27.000000000 +0000 @@ -0,0 +1,32 @@ +From d7daa8aeb6df4b6c3ec102622e1599279310a19e Mon Sep 17 00:00:00 2001 +From: jeanlf +Date: Tue, 8 Feb 2022 16:10:15 +0100 +Subject: [PATCH] fixed #2108 + +--- + src/isomedia/isom_read.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/src/isomedia/isom_read.c b/src/isomedia/isom_read.c +index a1a5516b0..a212dcc56 100644 +--- a/src/isomedia/isom_read.c ++++ b/src/isomedia/isom_read.c +@@ -2361,8 +2361,13 @@ GF_Err gf_isom_get_sample_for_movie_time(GF_ISOFile *the_file, u32 trackNumber, + return e; + #endif + +- if (nextMediaTime && (nextMediaTime-1 != movieTime)) +- return gf_isom_get_sample_for_movie_time(the_file, trackNumber, nextMediaTime-1, StreamDescriptionIndex, SearchMode, sample, sampleNumber, data_offset); ++ if ((SearchMode==GF_ISOM_SEARCH_SYNC_BACKWARD) || (SearchMode==GF_ISOM_SEARCH_BACKWARD)) { ++ if (nextMediaTime && (nextMediaTime-1 < movieTime)) ++ return gf_isom_get_sample_for_movie_time(the_file, trackNumber, nextMediaTime-1, StreamDescriptionIndex, SearchMode, sample, sampleNumber, data_offset); ++ } else { ++ if (nextMediaTime && (nextMediaTime-1 > movieTime)) ++ return gf_isom_get_sample_for_movie_time(the_file, trackNumber, nextMediaTime-1, StreamDescriptionIndex, SearchMode, sample, sampleNumber, data_offset); ++ } + } + return e; + } +-- +2.39.2 + diff -Nru gpac-1.0.1+dfsg1/debian/patches/CVE-2022-27147.patch gpac-1.0.1+dfsg1/debian/patches/CVE-2022-27147.patch --- gpac-1.0.1+dfsg1/debian/patches/CVE-2022-27147.patch 1970-01-01 00:00:00.000000000 +0000 +++ gpac-1.0.1+dfsg1/debian/patches/CVE-2022-27147.patch 2023-05-23 09:28:27.000000000 +0000 @@ -0,0 +1,71 @@ +From 9723dd0955894f2cb7be13b94cf7a47f2754b893 Mon Sep 17 00:00:00 2001 +From: jeanlf +Date: Tue, 8 Feb 2022 16:23:12 +0100 +Subject: [PATCH] fixed #2109 + +--- + include/gpac/internal/scenegraph_dev.h | 2 +- + src/scenegraph/base_scenegraph.c | 4 ++-- + src/scenegraph/dom_events.c | 8 ++++++-- + 3 files changed, 9 insertions(+), 5 deletions(-) + +diff --git a/include/gpac/internal/scenegraph_dev.h b/include/gpac/internal/scenegraph_dev.h +index e718c3a0b..d8f2a10a6 100644 +--- a/include/gpac/internal/scenegraph_dev.h ++++ b/include/gpac/internal/scenegraph_dev.h +@@ -945,7 +945,7 @@ GF_Err gf_dom_listener_del(GF_Node *listener, GF_DOMEventTarget *target); + GF_DOMHandler *gf_dom_listener_build_ex(GF_Node *node, u32 event_type, u32 event_parameter, GF_Node *handler, GF_Node **out_listener); + + void gf_dom_event_dump_listeners(GF_Node *n, FILE *f); +-void gf_dom_event_remove_all_listeners(GF_DOMEventTarget *event_target); ++void gf_dom_event_remove_all_listeners(GF_DOMEventTarget *event_target, GF_SceneGraph *sg); + void gf_dom_event_target_del(GF_DOMEventTarget *target); + GF_Err gf_dom_event_remove_listener_from_parent(GF_DOMEventTarget *event_target, GF_Node *listener); + +diff --git a/src/scenegraph/base_scenegraph.c b/src/scenegraph/base_scenegraph.c +index b403d5f40..40f30260b 100644 +--- a/src/scenegraph/base_scenegraph.c ++++ b/src/scenegraph/base_scenegraph.c +@@ -367,7 +367,7 @@ void gf_sg_reset(GF_SceneGraph *sg) + + gf_mx_p(sg->dom_evt_mx); + /*remove listeners attached to the doc*/ +- gf_dom_event_remove_all_listeners(sg->dom_evt); ++ gf_dom_event_remove_all_listeners(sg->dom_evt, sg); + /*flush any pending add_listener*/ + gf_dom_listener_reset_deferred(sg); + gf_mx_v(sg->dom_evt_mx); +@@ -1598,7 +1598,7 @@ void gf_node_free(GF_Node *node) + } + #ifndef GPAC_DISABLE_SVG + if (node->sgprivate->interact->dom_evt) { +- gf_dom_event_remove_all_listeners(node->sgprivate->interact->dom_evt); ++ gf_dom_event_remove_all_listeners(node->sgprivate->interact->dom_evt, node->sgprivate->scenegraph); + gf_dom_event_target_del(node->sgprivate->interact->dom_evt); + } + if (node->sgprivate->interact->animations) { +diff --git a/src/scenegraph/dom_events.c b/src/scenegraph/dom_events.c +index 210b001ad..257f534a4 100644 +--- a/src/scenegraph/dom_events.c ++++ b/src/scenegraph/dom_events.c +@@ -189,11 +189,15 @@ GF_Err gf_dom_event_remove_listener_from_parent(GF_DOMEventTarget *event_target, + return GF_OK; + } + +-void gf_dom_event_remove_all_listeners(GF_DOMEventTarget *event_target) ++void gf_dom_event_remove_all_listeners(GF_DOMEventTarget *event_target, GF_SceneGraph *sg) + { + while (gf_list_count(event_target->listeners)) { + GF_Node *n = (GF_Node *)gf_list_get(event_target->listeners, 0); +- gf_dom_listener_del(n, event_target); ++ if (gf_list_find(sg->exported_nodes, n)>=0) { ++ gf_list_rem(event_target->listeners, 0); ++ } else { ++ gf_dom_listener_del(n, event_target); ++ } + } + } + +-- +2.39.2 + diff -Nru gpac-1.0.1+dfsg1/debian/patches/CVE-2022-29537.patch gpac-1.0.1+dfsg1/debian/patches/CVE-2022-29537.patch --- gpac-1.0.1+dfsg1/debian/patches/CVE-2022-29537.patch 1970-01-01 00:00:00.000000000 +0000 +++ gpac-1.0.1+dfsg1/debian/patches/CVE-2022-29537.patch 2023-05-23 09:28:27.000000000 +0000 @@ -0,0 +1,29 @@ +From 1773b7a34bc08734aee7d3f5dfe65d06389fe15a Mon Sep 17 00:00:00 2001 +From: jeanlf +Date: Tue, 19 Apr 2022 09:08:45 +0200 +Subject: [PATCH] fixed #2173 + +--- + src/ietf/rtp_pck_mpeg4.c | 3 +++ + 1 file changed, 3 insertions(+) + +Index: gpac-1.0.1+dfsg1/src/ietf/rtp_pck_mpeg4.c +=================================================================== +--- gpac-1.0.1+dfsg1.orig/src/ietf/rtp_pck_mpeg4.c ++++ gpac-1.0.1+dfsg1/src/ietf/rtp_pck_mpeg4.c +@@ -421,6 +421,7 @@ GF_Err gp_rtp_builder_do_avc(GP_RTPPacke + } + + if (!nalu) return GF_OK; ++ if (nalu_size<1) return GF_NON_COMPLIANT_BITSTREAM; + + /*need a new RTP packet*/ + if (!builder->bytesInPacket) { +@@ -559,6 +560,7 @@ GF_Err gp_rtp_builder_do_hevc(GP_RTPPack + } + + if (!nalu) return GF_OK; ++ if (nalu_size<2) return GF_NON_COMPLIANT_BITSTREAM; + + /*need a new RTP packet*/ + if (!builder->bytesInPacket) { diff -Nru gpac-1.0.1+dfsg1/debian/patches/CVE-2022-3222.patch gpac-1.0.1+dfsg1/debian/patches/CVE-2022-3222.patch --- gpac-1.0.1+dfsg1/debian/patches/CVE-2022-3222.patch 1970-01-01 00:00:00.000000000 +0000 +++ gpac-1.0.1+dfsg1/debian/patches/CVE-2022-3222.patch 2023-05-23 08:12:28.000000000 +0000 @@ -0,0 +1,113 @@ +Origin: https://github.com/gpac/gpac/commit/4e7736d7ec7bf64026daa611da951993bb42fdaf +Reviewed-by: Aron Xu + +From 4e7736d7ec7bf64026daa611da951993bb42fdaf Mon Sep 17 00:00:00 2001 +From: jeanlf +Date: Mon, 12 Sep 2022 10:54:16 +0200 +Subject: [PATCH] fixed #2238 + +--- + src/bifs/script_dec.c | 22 +++++++++++++++++++++- + 1 file changed, 21 insertions(+), 1 deletions(-) + +Index: gpac-1.0.1+dfsg1/src/bifs/script_dec.c +=================================================================== +--- gpac-1.0.1+dfsg1.orig/src/bifs/script_dec.c ++++ gpac-1.0.1+dfsg1/src/bifs/script_dec.c +@@ -40,6 +40,7 @@ typedef struct + GF_List *identifiers; + char *new_line; + u32 indent; ++ u32 expr_stack_size; + } ScriptParser; + + +@@ -169,6 +170,7 @@ GF_Err SFScript_Parse(GF_BifsDecoder *co + e = GF_OK; + if (gf_node_get_tag(n) != TAG_MPEG4_Script) return GF_NON_COMPLIANT_BITSTREAM; + ++ memset(&parser, 0, sizeof(ScriptParser)); + parser.codec = codec; + parser.script = n; + parser.bs = bs; +@@ -209,6 +211,10 @@ GF_Err SFScript_Parse(GF_BifsDecoder *co + SFS_Space(&parser); + SFS_StatementBlock(&parser, GF_TRUE); + SFS_Line(&parser); ++ if (codec->LastError) { ++ e = codec->LastError; ++ goto exit; ++ } + } + + SFS_Line(&parser); +@@ -418,6 +424,7 @@ void SFS_CompoundExpression(ScriptParser + if (parser->codec->LastError) return; + SFS_Expression(parser); + if (! gf_bs_read_int(parser->bs, 1)) return; ++ if (parser->codec->LastError) return; + SFS_AddString(parser, ","); + SFS_CompoundExpression(parser); + } +@@ -430,12 +437,20 @@ void SFS_OptionalExpression(ScriptParser + } + } + +- ++#define MAX_EXPR_STACK 500 + void SFS_Expression(ScriptParser *parser) + { + u32 val = gf_bs_read_int(parser->bs, NUMBITS_EXPR_TYPE); + if (parser->codec->LastError) return; + ++ //limit max expression stack size ++ parser->expr_stack_size++; ++ if (parser->expr_stack_size>MAX_EXPR_STACK) { ++ GF_LOG(GF_LOG_ERROR, GF_LOG_CODEC, ("[BIFS] Max stack size %d reached for expressions, not supported\n", MAX_EXPR_STACK)) ++ parser->codec->LastError = GF_NON_COMPLIANT_BITSTREAM; ++ return; ++ } ++ + switch(val) { + case ET_CURVED_EXPR: + SFS_AddString(parser, "("); +@@ -675,6 +690,7 @@ void SFS_Expression(ScriptParser *parser + assert(0); + break; + } ++ parser->expr_stack_size--; + } + + void SFS_NewObject(ScriptParser *parser) +@@ -691,6 +707,7 @@ void SFS_ArrayDeref(ScriptParser *parser + { + if (parser->codec->LastError) return; + SFS_Expression(parser); ++ if (parser->codec->LastError) return; + SFS_AddString(parser, "["); + SFS_CompoundExpression(parser); + SFS_AddString(parser, "]"); +@@ -709,6 +726,7 @@ void SFS_ObjectMemberAccess(ScriptParser + { + if (parser->codec->LastError) return; + SFS_Expression(parser); ++ if (parser->codec->LastError) return; + SFS_AddString(parser, "."); + SFS_Identifier(parser); + } +@@ -718,6 +736,7 @@ void SFS_ObjectMethodCall(ScriptParser * + { + if (parser->codec->LastError) return; + SFS_Expression(parser); ++ if (parser->codec->LastError) return; + SFS_AddString(parser, "."); + SFS_Identifier(parser); + SFS_AddString(parser, "("); +@@ -732,6 +751,7 @@ void SFS_Params(ScriptParser *parser) + val = gf_bs_read_int(parser->bs, 1); + while (val) { + SFS_Expression(parser); ++ if (parser->codec->LastError) return; + val = gf_bs_read_int(parser->bs, 1); + if(val) SFS_AddString(parser, ","); + } diff -Nru gpac-1.0.1+dfsg1/debian/patches/CVE-2022-36190_36191.patch gpac-1.0.1+dfsg1/debian/patches/CVE-2022-36190_36191.patch --- gpac-1.0.1+dfsg1/debian/patches/CVE-2022-36190_36191.patch 1970-01-01 00:00:00.000000000 +0000 +++ gpac-1.0.1+dfsg1/debian/patches/CVE-2022-36190_36191.patch 2023-05-23 09:28:27.000000000 +0000 @@ -0,0 +1,93 @@ +From fef6242c69be4f7ba22b32578e4b62648a3d4ed3 Mon Sep 17 00:00:00 2001 +From: jeanlf +Date: Tue, 12 Jul 2022 18:43:33 +0200 +Subject: [PATCH] fixed #2218 + +--- + include/gpac/internal/isomedia_dev.h | 39 +++++++++++++--------------- + 1 file changed, 18 insertions(+), 21 deletions(-) + +diff --git a/include/gpac/internal/isomedia_dev.h b/include/gpac/internal/isomedia_dev.h +index 8b62f9e94..df6262594 100644 +--- a/include/gpac/internal/isomedia_dev.h ++++ b/include/gpac/internal/isomedia_dev.h +@@ -1522,7 +1522,7 @@ typedef struct + GF_ColourInformationBox *colr; + } GF_J2KHeaderBox; + +-typedef struct ++typedef struct __full_video_sample_entry + { + GF_ISOM_VISUAL_SAMPLE_ENTRY + GF_ESDBox *esd; +@@ -1556,6 +1556,14 @@ typedef struct + /*iPod's hack*/ + GF_UnknownUUIDBox *ipod_ext; + ++ //for generic video sample entry ++ ++ //box type as specified in the file (not this box's type!!) ++ u32 EntryType; ++ //opaque description data (ESDS in MP4, SMI in SVQ3, ...) ++ u8 *data; ++ u32 data_size; ++ + } GF_MPEGVisualSampleEntryBox; + + static const u8 GF_ISOM_IPOD_EXT[][16] = { { 0x6B, 0x68, 0x40, 0xF2, 0x5F, 0x24, 0x4F, 0xC5, 0xBA, 0x39, 0xA5, 0x1B, 0xCF, 0x03, 0x23, 0xF3} }; +@@ -1563,16 +1571,7 @@ static const u8 GF_ISOM_IPOD_EXT[][16] = { { 0x6B, 0x68, 0x40, 0xF2, 0x5F, 0x24, + Bool gf_isom_is_nalu_based_entry(GF_MediaBox *mdia, GF_SampleEntryBox *_entry); + GF_Err gf_isom_nalu_sample_rewrite(GF_MediaBox *mdia, GF_ISOSample *sample, u32 sampleNumber, GF_MPEGVisualSampleEntryBox *entry); + +-/*this is the default visual sdst (to handle unknown media)*/ +-typedef struct +-{ +- GF_ISOM_VISUAL_SAMPLE_ENTRY +- /*box type as specified in the file (not this box's type!!)*/ +- u32 EntryType; +- /*opaque description data (ESDS in MP4, SMI in SVQ3, ...)*/ +- u8 *data; +- u32 data_size; +-} GF_GenericVisualSampleEntryBox; ++typedef struct __full_video_sample_entry GF_GenericVisualSampleEntryBox; + + enum + { +@@ -1702,7 +1701,7 @@ typedef struct + } GF_PCMConfigBox; + + +-typedef struct ++typedef struct __full_audio_sample_entry + { + GF_ISOM_AUDIO_SAMPLE_ENTRY + //for MPEG4 audio +@@ -1726,18 +1725,16 @@ typedef struct + //for FLAC + GF_FLACConfigBox *cfg_flac; + +-} GF_MPEGAudioSampleEntryBox; +- +-/*this is the default visual sdst (to handle unknown media)*/ +-typedef struct +-{ +- GF_ISOM_AUDIO_SAMPLE_ENTRY +- /*box type as specified in the file (not this box's type!!)*/ ++ //for generic audio sample entry ++ //box type as specified in the file (not this box's type!!) + u32 EntryType; +- /*opaque description data (ESDS in MP4, ...)*/ ++ //opaque description data (ESDS in MP4, ...) + u8 *data; + u32 data_size; +-} GF_GenericAudioSampleEntryBox; ++ ++} GF_MPEGAudioSampleEntryBox; ++ ++typedef struct __full_audio_sample_entry GF_GenericAudioSampleEntryBox; + + + typedef struct +-- +2.39.2 + diff -Nru gpac-1.0.1+dfsg1/debian/patches/CVE-2022-38530.patch gpac-1.0.1+dfsg1/debian/patches/CVE-2022-38530.patch --- gpac-1.0.1+dfsg1/debian/patches/CVE-2022-38530.patch 1970-01-01 00:00:00.000000000 +0000 +++ gpac-1.0.1+dfsg1/debian/patches/CVE-2022-38530.patch 2023-05-23 09:28:27.000000000 +0000 @@ -0,0 +1,58 @@ +Origin: https://github.com/gpac/gpac/commit/4e56ad72ac1afb4e049a10f2d99e7512d7141f9d +Reviewed-by: Aron Xu + +From 4e56ad72ac1afb4e049a10f2d99e7512d7141f9d Mon Sep 17 00:00:00 2001 +From: jeanlf +Date: Tue, 12 Jul 2022 18:29:36 +0200 +Subject: [PATCH] fixed #2216 + +--- + applications/mp4box/mp4box.c | 2 +- + src/odf/desc_private.c | 14 ++++++++++++-- + 2 files changed, 13 insertions(+), 3 deletions(-) + +Index: gpac-1.0.1+dfsg1/src/odf/desc_private.c +=================================================================== +--- gpac-1.0.1+dfsg1.orig/src/odf/desc_private.c ++++ gpac-1.0.1+dfsg1/src/odf/desc_private.c +@@ -273,7 +273,7 @@ GF_Err gf_odf_delete_descriptor(GF_Descr + // + // READERS + // +-GF_Err gf_odf_read_descriptor(GF_BitStream *bs, GF_Descriptor *desc, u32 DescSize) ++static GF_Err gf_odf_read_descriptor_internal(GF_BitStream *bs, GF_Descriptor *desc, u32 DescSize) + { + switch (desc->tag) { + case GF_ODF_IOD_TAG : +@@ -368,7 +368,17 @@ GF_Err gf_odf_read_descriptor(GF_BitStre + return GF_OK; + } + +- ++GF_Err gf_odf_read_descriptor(GF_BitStream *bs, GF_Descriptor *desc, u32 DescSize) ++{ ++ u64 cookie = gf_bs_get_cookie(bs); ++ //we allow 100 max desc in a hierarchy - see issue 2216 ++ if (cookie>100) ++ return GF_NON_COMPLIANT_BITSTREAM; ++ gf_bs_set_cookie(bs, cookie+1); ++ GF_Err e = gf_odf_read_descriptor_internal(bs, desc, DescSize); ++ gf_bs_set_cookie(bs, cookie); ++ return e; ++} + + + +Index: gpac-1.0.1+dfsg1/applications/mp4box/main.c +=================================================================== +--- gpac-1.0.1+dfsg1.orig/applications/mp4box/main.c ++++ gpac-1.0.1+dfsg1/applications/mp4box/main.c +@@ -1359,7 +1359,7 @@ GF_Err HintFile(GF_ISOFile *file, u32 MT + + if (e) { + fprintf(stderr, "Error while hinting (%s)\n", gf_error_to_string(e)); +- if (!nb_done) return e; ++ return e; + } + init_payt++; + nb_done ++; diff -Nru gpac-1.0.1+dfsg1/debian/patches/CVE-2022-3957.patch gpac-1.0.1+dfsg1/debian/patches/CVE-2022-3957.patch --- gpac-1.0.1+dfsg1/debian/patches/CVE-2022-3957.patch 1970-01-01 00:00:00.000000000 +0000 +++ gpac-1.0.1+dfsg1/debian/patches/CVE-2022-3957.patch 2023-05-23 08:12:28.000000000 +0000 @@ -0,0 +1,91 @@ +Origin: https://github.com/gpac/gpac/commit/2191e66aa7df750e8ef01781b1930bea87b713bb +Reviewed-by: Aron Xu + +From 2191e66aa7df750e8ef01781b1930bea87b713bb Mon Sep 17 00:00:00 2001 +From: jeanlf +Date: Mon, 7 Nov 2022 08:59:52 +0100 +Subject: [PATCH] fixed mem leak in sgv parse error + +--- + src/scene_manager/loader_svg.c | 10 +++++++--- + src/scenegraph/svg_attributes.c | 11 +++++++---- + testsuite | 2 +- + 3 files changed, 15 insertions(+), 8 deletions(-) + +Index: gpac-1.0.1+dfsg1/src/scene_manager/loader_svg.c +=================================================================== +--- gpac-1.0.1+dfsg1.orig/src/scene_manager/loader_svg.c ++++ gpac-1.0.1+dfsg1/src/scene_manager/loader_svg.c +@@ -446,6 +446,7 @@ static Bool svg_parse_animation(GF_SVG_P + if (anim->to) { + /* now that we have a target, if there is a to value to parse, create the attribute and parse it */ + gf_node_get_attribute_by_tag((GF_Node *)anim->animation_elt, TAG_SVG_ATT_to, GF_TRUE, GF_FALSE, &info); ++ if (!info.name) info.name = "to"; + gf_svg_parse_attribute((GF_Node *)anim->animation_elt, &info, anim->to, anim_value_type); + if (anim_value_type==XMLRI_datatype) { + svg_post_process_href(parser, (GF_Node *) anim->target, (XMLRI*)((SMIL_AnimateValue *)info.far_ptr)->value); +@@ -454,6 +455,7 @@ static Bool svg_parse_animation(GF_SVG_P + if (anim->from) { + /* now that we have a target, if there is a from value to parse, create the attribute and parse it */ + gf_node_get_attribute_by_tag((GF_Node *)anim->animation_elt, TAG_SVG_ATT_from, GF_TRUE, GF_FALSE, &info); ++ if (!info.name) info.name = "from"; + gf_svg_parse_attribute((GF_Node *)anim->animation_elt, &info, anim->from, anim_value_type); + if (anim_value_type==XMLRI_datatype) + svg_post_process_href(parser, (GF_Node *) anim->target, (XMLRI*)((SMIL_AnimateValue *)info.far_ptr)->value); +@@ -461,6 +463,7 @@ static Bool svg_parse_animation(GF_SVG_P + if (anim->by) { + /* now that we have a target, if there is a by value to parse, create the attribute and parse it */ + gf_node_get_attribute_by_tag((GF_Node *)anim->animation_elt, TAG_SVG_ATT_by, GF_TRUE, GF_FALSE, &info); ++ if (!info.name) info.name = "by"; + gf_svg_parse_attribute((GF_Node *)anim->animation_elt, &info, anim->by, anim_value_type); + if (anim_value_type==XMLRI_datatype) + svg_post_process_href(parser, (GF_Node *) anim->target, (XMLRI*)((SMIL_AnimateValue *)info.far_ptr)->value); +@@ -468,6 +471,7 @@ static Bool svg_parse_animation(GF_SVG_P + if (anim->values) { + /* now that we have a target, if there is a 'values' value to parse, create the attribute and parse it */ + gf_node_get_attribute_by_tag((GF_Node *)anim->animation_elt, TAG_SVG_ATT_values, GF_TRUE, GF_FALSE, &info); ++ if (!info.name) info.name = "values"; + gf_svg_parse_attribute((GF_Node *)anim->animation_elt, &info, anim->values, anim_value_type); + if (anim_value_type==XMLRI_datatype) { + u32 i, count; +@@ -2110,13 +2114,13 @@ GF_Err load_svg_run(GF_SceneLoader *load + + in_time = gf_sys_clock(); + e = gf_xml_sax_parse_file(parser->sax_parser, (const char *)load->fileName, svg_progress); ++ svg_flush_animations(parser); ++ gf_sm_svg_flush_state(parser); + if (parser->last_error<0) e = parser->last_error; +- ++ + if (e<0) return svg_report(parser, e, "Unable to parse file %s: %s", load->fileName, gf_xml_sax_get_error(parser->sax_parser) ); + GF_LOG(GF_LOG_INFO, GF_LOG_PARSER, ("[Parser] Scene parsed and Scene Graph built in %d ms\n", gf_sys_clock() - in_time)); + +- svg_flush_animations(parser); +- gf_sm_svg_flush_state(parser); + return e; + + } +Index: gpac-1.0.1+dfsg1/src/scenegraph/svg_attributes.c +=================================================================== +--- gpac-1.0.1+dfsg1.orig/src/scenegraph/svg_attributes.c ++++ gpac-1.0.1+dfsg1/src/scenegraph/svg_attributes.c +@@ -2906,7 +2906,7 @@ static void svg_parse_preserveaspectrati + while (*content == ' ') content++; + if (strstr(content, "defer")) { + par->defer = 1; +- content += 4; ++ content += 5; + } else { + content = attribute_content; + } +@@ -3446,8 +3446,8 @@ GF_Err gf_svg_parse_attribute(GF_Node *n + *(SVG_String *)info->far_ptr = gf_strdup(attribute_content); + break; + default: +- GF_LOG(GF_LOG_WARNING, GF_LOG_PARSER, ("[SVG Parsing] Cannot parse attribute %s\n", info->name, gf_svg_attribute_type_to_string(info->fieldType))); +- break; ++ GF_LOG(GF_LOG_WARNING, GF_LOG_PARSER, ("[SVG Parsing] Cannot parse attribute \"%s\"\n", info->name, gf_svg_attribute_type_to_string(info->fieldType))); ++ return GF_OK; + } + return GF_OK; + } diff -Nru gpac-1.0.1+dfsg1/debian/patches/CVE-2022-4202.patch gpac-1.0.1+dfsg1/debian/patches/CVE-2022-4202.patch --- gpac-1.0.1+dfsg1/debian/patches/CVE-2022-4202.patch 1970-01-01 00:00:00.000000000 +0000 +++ gpac-1.0.1+dfsg1/debian/patches/CVE-2022-4202.patch 2023-05-23 08:12:28.000000000 +0000 @@ -0,0 +1,78 @@ +From b3d821c4ae9ba62b3a194d9dcb5e99f17bd56908 Mon Sep 17 00:00:00 2001 +From: jeanlf +Date: Mon, 12 Dec 2022 09:35:12 +0100 +Subject: [PATCH] fixed #2333 + +--- + src/laser/lsr_dec.c | 29 ++++++++++++++++++++--------- + 1 file changed, 20 insertions(+), 9 deletions(-) + +diff --git a/src/laser/lsr_dec.c b/src/laser/lsr_dec.c +index 488babb10..283092f2a 100644 +--- a/src/laser/lsr_dec.c ++++ b/src/laser/lsr_dec.c +@@ -300,11 +300,21 @@ static void lsr_read_extension(GF_LASeRCodec *lsr, const char *name) + + static void lsr_read_extend_class(GF_LASeRCodec *lsr, char **out_data, u32 *out_len, const char *name) + { +- u32 len; ++ u32 len, blen; + GF_LSR_READ_INT(lsr, len, lsr->info->cfg.extensionIDBits, "reserved"); + len = lsr_read_vluimsbf5(lsr, "len"); +-// while (len) gf_bs_read_int(lsr->bs, 1); +- gf_bs_read_long_int(lsr->bs, len); ++ while (len && !gf_bs_is_align(lsr->bs)) { ++ gf_bs_read_int(lsr->bs, len); ++ len--; ++ } ++ blen = len / 8; ++ gf_bs_skip_bytes(lsr->bs, blen); ++ len -= blen*8; ++ ++ while (len) { ++ gf_bs_read_int(lsr->bs, 1); ++ len--; ++ } + if (out_data) *out_data = NULL; + if (out_len) *out_len = 0; + } +@@ -839,10 +849,11 @@ static void lsr_read_id(GF_LASeRCodec *lsr, GF_Node *n) + static Fixed lsr_translate_coords(GF_LASeRCodec *lsr, u32 val, u32 nb_bits) + { + if (!nb_bits) return 0; +- ++ if (nb_bits>=32) return 0; ++ + #ifdef GPAC_FIXED_POINT + if (val >> (nb_bits-1) ) { +- s32 neg = (s32) val - (1<res_factor); + return gf_divfix(INT2FIX(neg), lsr->res_factor); +@@ -853,10 +864,10 @@ static Fixed lsr_translate_coords(GF_LASeRCodec *lsr, u32 val, u32 nb_bits) + } + #else + if (val >> (nb_bits-1) ) { +- s32 neg = (s32) val - (1<res_factor); ++ s64 neg = (s64) val - (0x00000001UL << nb_bits); ++ return ((Fixed)neg) / lsr->res_factor; + } else { +- return gf_divfix(INT2FIX(val), lsr->res_factor); ++ return ((Fixed)val) / lsr->res_factor; + } + #endif + } +@@ -864,7 +875,7 @@ static Fixed lsr_translate_coords(GF_LASeRCodec *lsr, u32 val, u32 nb_bits) + static Fixed lsr_translate_scale(GF_LASeRCodec *lsr, u32 val) + { + if (val >> (lsr->coord_bits-1) ) { +- s32 v = val - (1<coord_bits); ++ s64 v = val - (0x00000001UL << lsr->coord_bits); + return INT2FIX(v) / 256 ; + } else { + return INT2FIX(val) / 256; +-- +2.39.2 + diff -Nru gpac-1.0.1+dfsg1/debian/patches/CVE-2022-43255.patch gpac-1.0.1+dfsg1/debian/patches/CVE-2022-43255.patch --- gpac-1.0.1+dfsg1/debian/patches/CVE-2022-43255.patch 1970-01-01 00:00:00.000000000 +0000 +++ gpac-1.0.1+dfsg1/debian/patches/CVE-2022-43255.patch 2023-05-23 09:28:27.000000000 +0000 @@ -0,0 +1,28 @@ +From d82e1340d7fd5ceea205e0f173500102f3237eb4 Mon Sep 17 00:00:00 2001 +From: jeanlf +Date: Tue, 11 Oct 2022 10:37:25 +0200 +Subject: [PATCH] fixed #2285 + +--- + src/scene_manager/loader_xmt.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/src/scene_manager/loader_xmt.c b/src/scene_manager/loader_xmt.c +index e5941d5b0..25e712680 100644 +--- a/src/scene_manager/loader_xmt.c ++++ b/src/scene_manager/loader_xmt.c +@@ -3176,6 +3176,11 @@ static void load_xmt_done(GF_SceneLoader *load) + } + if (parser->x3d_root) gf_free(parser->x3d_root); + gf_list_del(parser->nodes); ++ //we may have one root desc remaining if error ++ if (gf_list_count(parser->descriptors)) { ++ GF_Descriptor *desc = gf_list_get(parser->descriptors, 0); ++ gf_odf_desc_del(desc); ++ } + gf_list_del(parser->descriptors); + gf_list_del(parser->def_nodes); + gf_list_del(parser->peeked_nodes); +-- +2.39.2 + diff -Nru gpac-1.0.1+dfsg1/debian/patches/CVE-2022-45202.patch gpac-1.0.1+dfsg1/debian/patches/CVE-2022-45202.patch --- gpac-1.0.1+dfsg1/debian/patches/CVE-2022-45202.patch 1970-01-01 00:00:00.000000000 +0000 +++ gpac-1.0.1+dfsg1/debian/patches/CVE-2022-45202.patch 2023-05-23 08:12:28.000000000 +0000 @@ -0,0 +1,71 @@ +From 74e53280dad7b29f85386c6a1286fb92643465da Mon Sep 17 00:00:00 2001 +From: jeanlf +Date: Fri, 4 Nov 2022 09:18:47 +0100 +Subject: [PATCH] fixed #2294 + +--- + src/isomedia/box_code_3gpp.c | 22 ++++++++++++++++++---- + 1 file changed, 18 insertions(+), 4 deletions(-) + +diff --git a/src/isomedia/box_code_3gpp.c b/src/isomedia/box_code_3gpp.c +index d75eae60a..cee178fcf 100644 +--- a/src/isomedia/box_code_3gpp.c ++++ b/src/isomedia/box_code_3gpp.c +@@ -1046,8 +1046,7 @@ void dimC_box_del(GF_Box *s) + + GF_Err dimC_box_read(GF_Box *s, GF_BitStream *bs) + { +- char str[1024]; +- u32 i; ++ u32 i, msize; + GF_DIMSSceneConfigBox *p = (GF_DIMSSceneConfigBox *)s; + + ISOM_DECREASE_SIZE(p, 3); +@@ -1058,27 +1057,42 @@ GF_Err dimC_box_read(GF_Box *s, GF_BitStream *bs) + p->streamType = gf_bs_read_int(bs, 1); + p->containsRedundant = gf_bs_read_int(bs, 2); + ++ char *str = gf_malloc(sizeof(char)*(p->size+1)); ++ if (!str) return GF_OUT_OF_MEM; ++ msize = p->size; ++ str[msize] = 0; + i=0; + str[0]=0; +- while (i < GF_ARRAY_LENGTH(str)) { ++ while (i < msize) { + str[i] = gf_bs_read_u8(bs); + if (!str[i]) break; + i++; + } + ISOM_DECREASE_SIZE(p, i); ++ if (i == msize) { ++ gf_free(str); ++ return GF_ISOM_INVALID_FILE; ++ } + + p->textEncoding = gf_strdup(str); + + i=0; + str[0]=0; +- while (i < GF_ARRAY_LENGTH(str)) { ++ while (i < msize) { + str[i] = gf_bs_read_u8(bs); + if (!str[i]) break; + i++; + } + ISOM_DECREASE_SIZE(p, i); ++ if (i == msize) { ++ gf_free(str); ++ return GF_ISOM_INVALID_FILE; ++ } + + p->contentEncoding = gf_strdup(str); ++ gf_free(str); ++ if (p->textEncoding || !p->contentEncoding) ++ return GF_OUT_OF_MEM; + return GF_OK; + } + +-- +2.39.2 + diff -Nru gpac-1.0.1+dfsg1/debian/patches/CVE-2022-45283.patch gpac-1.0.1+dfsg1/debian/patches/CVE-2022-45283.patch --- gpac-1.0.1+dfsg1/debian/patches/CVE-2022-45283.patch 1970-01-01 00:00:00.000000000 +0000 +++ gpac-1.0.1+dfsg1/debian/patches/CVE-2022-45283.patch 2023-05-23 09:28:27.000000000 +0000 @@ -0,0 +1,40 @@ +From 0fc714872ba4536a1190f93aa278b6e08f8c60df Mon Sep 17 00:00:00 2001 +From: jeanlf +Date: Fri, 4 Nov 2022 09:26:34 +0100 +Subject: [PATCH] fixed #2295 + +--- + src/scenegraph/svg_attributes.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/src/scenegraph/svg_attributes.c b/src/scenegraph/svg_attributes.c +index bf861cc5d..0dbe20a7d 100644 +--- a/src/scenegraph/svg_attributes.c ++++ b/src/scenegraph/svg_attributes.c +@@ -2467,17 +2467,22 @@ static void svg_parse_boolean(SVG_Boolean *value, char *value_string) + static void smil_parse_time_list(GF_Node *e, GF_List *values, char *begin_or_end_list) + { + SMIL_Time *value; +- char value_string[500]; ++ char value_string[1025]; + char *str = begin_or_end_list, *tmp; + u32 len; + + /* get rid of leading spaces */ + while (*str == ' ') str++; + ++ value_string[1024] = 0; + while (1) { + tmp = strchr(str, ';'); + if (tmp) len = (u32) (tmp-str); + else len = (u32) strlen(str); ++ if (len>1024) { ++ GF_LOG(GF_LOG_ERROR, GF_LOG_PARSER, ("[SVG Parsing] SMIL time list attribute too long, max supported 1024 bytes\n")); ++ goto err; ++ } + memcpy(value_string, str, len); + while ((len > 0) && (value_string[len - 1] == ' ')) + len--; +-- +2.39.2 + diff -Nru gpac-1.0.1+dfsg1/debian/patches/CVE-2022-45343.patch gpac-1.0.1+dfsg1/debian/patches/CVE-2022-45343.patch --- gpac-1.0.1+dfsg1/debian/patches/CVE-2022-45343.patch 1970-01-01 00:00:00.000000000 +0000 +++ gpac-1.0.1+dfsg1/debian/patches/CVE-2022-45343.patch 2023-05-23 09:28:27.000000000 +0000 @@ -0,0 +1,81 @@ +From 1016912db5408b6f38e8eb715279493ae380d1c4 Mon Sep 17 00:00:00 2001 +From: jeanlf +Date: Mon, 14 Nov 2022 14:45:13 +0100 +Subject: [PATCH] fixed #2315 + +--- + src/bifs/field_decode.c | 19 ++++++++++++------- + 1 file changed, 12 insertions(+), 7 deletions(-) + +diff --git a/src/bifs/field_decode.c b/src/bifs/field_decode.c +index f0235147a..d3a4fbe2e 100644 +--- a/src/bifs/field_decode.c ++++ b/src/bifs/field_decode.c +@@ -302,7 +302,7 @@ GF_Err gf_bifs_dec_sf_field(GF_BifsDecoder * codec, GF_BitStream *bs, GF_Node *n + GF_Err BD_DecMFFieldList(GF_BifsDecoder * codec, GF_BitStream *bs, GF_Node *node, GF_FieldInfo *field, Bool is_mem_com) + { + GF_Node *new_node; +- GF_Err e; ++ GF_Err e=GF_OK; + u8 endFlag, qp_local, qp_on, initial_qp; + GF_ChildNodeItem *last = NULL; + u32 nbF; +@@ -323,15 +323,15 @@ GF_Err BD_DecMFFieldList(GF_BifsDecoder * codec, GF_BitStream *bs, GF_Node *node + while (!endFlag && (codec->LastError>=0)) { + if (field->fieldType != GF_SG_VRML_MFNODE) { + e = gf_sg_vrml_mf_append(field->far_ptr, field->fieldType, & sffield.far_ptr); +- if (e) return e; ++ if (e) goto exit; + e = gf_bifs_dec_sf_field(codec, bs, node, &sffield, GF_FALSE); +- if (e) return e; ++ if (e) goto exit; + } else { + new_node = gf_bifs_dec_node(codec, bs, field->NDTtype); + //append + if (new_node) { + e = gf_node_register(new_node, is_mem_com ? NULL : node); +- if (e) return e; ++ if (e) goto exit; + + //regular coding + if (node) { +@@ -341,7 +341,7 @@ GF_Err BD_DecMFFieldList(GF_BifsDecoder * codec, GF_BitStream *bs, GF_Node *node + //we have a QP in the same scope, remove previous + if (qp_on) gf_bifs_dec_qp_remove(codec, GF_FALSE); + e = gf_bifs_dec_qp_set(codec, new_node); +- if (e) return e; ++ if (e) goto exit; + qp_on = 1; + if (qp_local) qp_local = 2; + if (codec->force_keep_qp) { +@@ -361,10 +361,11 @@ GF_Err BD_DecMFFieldList(GF_BifsDecoder * codec, GF_BitStream *bs, GF_Node *node + e = gf_node_list_add_child_last( (GF_ChildNodeItem **)field->far_ptr, new_node, &last); + } + } else { +- return codec->LastError; ++ e = codec->LastError; ++ goto exit; + } + } +- if (e) return e; ++ if (e) goto exit; + + endFlag = gf_bs_read_int(bs, 1); + +@@ -382,9 +383,13 @@ GF_Err BD_DecMFFieldList(GF_BifsDecoder * codec, GF_BitStream *bs, GF_Node *node + } + nbF += 1; + } ++ ++exit: + /*finally delete the QP if any (local or not) as we get out of this node + and reactivate previous one*/ + if (qp_on) gf_bifs_dec_qp_remove(codec, initial_qp); ++ if (e) return e; ++ + /*this is for QP 14*/ + gf_bifs_dec_qp14_set_length(codec, nbF); + return GF_OK; +-- +2.39.2 + diff -Nru gpac-1.0.1+dfsg1/debian/patches/CVE-2022-47086.patch gpac-1.0.1+dfsg1/debian/patches/CVE-2022-47086.patch --- gpac-1.0.1+dfsg1/debian/patches/CVE-2022-47086.patch 1970-01-01 00:00:00.000000000 +0000 +++ gpac-1.0.1+dfsg1/debian/patches/CVE-2022-47086.patch 2023-05-23 09:28:27.000000000 +0000 @@ -0,0 +1,44 @@ +From 15e3aece44f24a1c4e8cc0622c59008b1b9ab683 Mon Sep 17 00:00:00 2001 +From: jeanlf +Date: Mon, 12 Dec 2022 09:42:30 +0100 +Subject: [PATCH] fixed #2337 + +--- + src/scene_manager/swf_parse.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/src/scene_manager/swf_parse.c b/src/scene_manager/swf_parse.c +index c50959ec2..6ae7b2439 100644 +--- a/src/scene_manager/swf_parse.c ++++ b/src/scene_manager/swf_parse.c +@@ -2568,7 +2568,7 @@ SWFReader *gf_swf_reader_new(const char *localPath, const char *inputName) + read->inputName = gf_strdup(inputName); + read->input = input; + read->bs = gf_bs_from_file(input, GF_BITSTREAM_READ); +- gf_bs_set_eos_callback(read->bs, swf_io_error, &read); ++ gf_bs_set_eos_callback(read->bs, swf_io_error, read); + read->display_list = gf_list_new(); + read->fonts = gf_list_new(); + read->apps = gf_list_new(); +@@ -2612,7 +2612,7 @@ GF_Err gf_swf_read_header(SWFReader *read) + sig[2] = gf_bs_read_u8(read->bs); + /*"FWS" or "CWS"*/ + if ( ((sig[0] != 'F') && (sig[0] != 'C')) || (sig[1] != 'W') || (sig[2] != 'S') ) { +- return GF_URL_ERROR; ++ return GF_NON_COMPLIANT_BITSTREAM; + } + /*version = */gf_bs_read_u8(read->bs); + read->length = swf_get_32(read); +@@ -2663,7 +2663,8 @@ GF_Err gf_sm_load_init_swf(GF_SceneLoader *load) + read->flat_limit = FLT2FIX(load->swf_flatten_limit); + load->loader_priv = read; + +- gf_swf_read_header(read); ++ e = gf_swf_read_header(read); ++ if (e) goto exit; + load->ctx->scene_width = FIX2INT(read->width); + load->ctx->scene_height = FIX2INT(read->height); + load->ctx->is_pixel_metrics = 1; +-- +2.39.2 + diff -Nru gpac-1.0.1+dfsg1/debian/patches/CVE-2022-47091.patch gpac-1.0.1+dfsg1/debian/patches/CVE-2022-47091.patch --- gpac-1.0.1+dfsg1/debian/patches/CVE-2022-47091.patch 1970-01-01 00:00:00.000000000 +0000 +++ gpac-1.0.1+dfsg1/debian/patches/CVE-2022-47091.patch 2023-05-23 09:28:27.000000000 +0000 @@ -0,0 +1,43 @@ +From 65d089bcb5dad6fda668ee61e38a8394ed8bdf1f Mon Sep 17 00:00:00 2001 +From: jeanlf +Date: Mon, 12 Dec 2022 10:14:43 +0100 +Subject: [PATCH] fixed #2343 + +--- + src/filters/load_text.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/src/filters/load_text.c b/src/filters/load_text.c +index 8010aea32..a0e455d1a 100644 +--- a/src/filters/load_text.c ++++ b/src/filters/load_text.c +@@ -2508,7 +2508,7 @@ static GF_Err gf_text_process_sub(GF_Filter *filter, GF_TXTIn *ctx, GF_FilterPac + u32 i, j, len, line; + GF_TextSample *samp; + Double ts_scale; +- char szLine[2048], szTime[20], szText[2048]; ++ char szLine[2048], szTime[41], szText[2048]; + + //same setup as for srt + if (!ctx->is_setup) { +@@ -2550,8 +2550,7 @@ static GF_Err gf_text_process_sub(GF_Filter *filter, GF_TXTIn *ctx, GF_FilterPac + while (szLine[i+1] && szLine[i+1]!='}') { + szTime[i] = szLine[i+1]; + i++; +- if (i>=19) +- break; ++ if (i>=40) break; + } + szTime[i] = 0; + ctx->start = atoi(szTime); +@@ -2568,6 +2567,7 @@ static GF_Err gf_text_process_sub(GF_Filter *filter, GF_TXTIn *ctx, GF_FilterPac + while (szLine[i+1+j] && szLine[i+1+j]!='}') { + szTime[i] = szLine[i+1+j]; + i++; ++ if (i>=40) break; + } + szTime[i] = 0; + ctx->end = atoi(szTime); +-- +2.39.2 + diff -Nru gpac-1.0.1+dfsg1/debian/patches/CVE-2022-47094.patch gpac-1.0.1+dfsg1/debian/patches/CVE-2022-47094.patch --- gpac-1.0.1+dfsg1/debian/patches/CVE-2022-47094.patch 1970-01-01 00:00:00.000000000 +0000 +++ gpac-1.0.1+dfsg1/debian/patches/CVE-2022-47094.patch 2023-05-23 09:28:27.000000000 +0000 @@ -0,0 +1,25 @@ +From 6ddedfb85e617f5e935cb490d5b51f141e13a937 Mon Sep 17 00:00:00 2001 +From: jeanlf +Date: Mon, 12 Dec 2022 10:35:51 +0100 +Subject: [PATCH] fixed #2345 + +--- + src/filters/dmx_m2ts.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/filters/dmx_m2ts.c b/src/filters/dmx_m2ts.c +index 9c58e0d1d..b4e5ff254 100644 +--- a/src/filters/dmx_m2ts.c ++++ b/src/filters/dmx_m2ts.c +@@ -340,7 +340,7 @@ static void m2tsdmx_declare_pid(GF_M2TSDmxCtx *ctx, GF_M2TS_PES *stream, GF_ESD + case GF_M2TS_SYSTEMS_MPEG4_PES: + if (!esd) { + m4sys_iod_stream = GF_TRUE; +- count = gf_list_count(stream->program->pmt_iod->ESDescriptors); ++ count = stream->program->pmt_iod ? gf_list_count(stream->program->pmt_iod->ESDescriptors) : 0; + for (i=0; iprogram->pmt_iod->ESDescriptors, i); + if (esd->ESID == stream->mpeg4_es_id) break; +-- +2.39.2 + diff -Nru gpac-1.0.1+dfsg1/debian/patches/CVE-2022-47095.patch gpac-1.0.1+dfsg1/debian/patches/CVE-2022-47095.patch --- gpac-1.0.1+dfsg1/debian/patches/CVE-2022-47095.patch 1970-01-01 00:00:00.000000000 +0000 +++ gpac-1.0.1+dfsg1/debian/patches/CVE-2022-47095.patch 2023-05-23 09:28:27.000000000 +0000 @@ -0,0 +1,45 @@ +From 1918a58bd0c9789844cf6a377293161506ee312c Mon Sep 17 00:00:00 2001 +From: jeanlf +Date: Mon, 12 Dec 2022 10:45:38 +0100 +Subject: [PATCH] fixed #2346 + +--- + src/media_tools/av_parsers.c | 22 ++++++++++++---------- + 1 file changed, 12 insertions(+), 10 deletions(-) + +Index: gpac-1.0.1+dfsg1/src/media_tools/av_parsers.c +=================================================================== +--- gpac-1.0.1+dfsg1.orig/src/media_tools/av_parsers.c ++++ gpac-1.0.1+dfsg1/src/media_tools/av_parsers.c +@@ -7060,18 +7060,20 @@ static Bool hevc_parse_vps_extension(HEV + num_scalability_types = 16; + } + dimension_id_len[0] = 0; +- for (i = 0; i < (num_scalability_types - splitting_flag); i++) { +- dimension_id_len[i] = 1 + gf_bs_read_int(bs, 3); +- } ++ if (num_scalability_types) { ++ for (i = 0; i < (num_scalability_types - splitting_flag); i++) { ++ dimension_id_len[i] = 1 + gf_bs_read_int(bs, 3); ++ } + +- if (splitting_flag) { +- for (i = 0; i < num_scalability_types; i++) { +- dim_bit_offset[i] = 0; +- for (j = 0; j < i; j++) +- dim_bit_offset[i] += dimension_id_len[j]; +- } +- dimension_id_len[num_scalability_types - 1] = 1 + (5 - dim_bit_offset[num_scalability_types - 1]); +- dim_bit_offset[num_scalability_types] = 6; ++ if (splitting_flag) { ++ for (i = 0; i < num_scalability_types; i++) { ++ dim_bit_offset[i] = 0; ++ for (j = 0; j < i; j++) ++ dim_bit_offset[i] += dimension_id_len[j]; ++ } ++ dimension_id_len[num_scalability_types - 1] = 1 + (5 - dim_bit_offset[num_scalability_types - 1]); ++ dim_bit_offset[num_scalability_types] = 6; ++ } + } + + vps_nuh_layer_id_present_flag = gf_bs_read_int(bs, 1); diff -Nru gpac-1.0.1+dfsg1/debian/patches/CVE-2022-47657.patch gpac-1.0.1+dfsg1/debian/patches/CVE-2022-47657.patch --- gpac-1.0.1+dfsg1/debian/patches/CVE-2022-47657.patch 1970-01-01 00:00:00.000000000 +0000 +++ gpac-1.0.1+dfsg1/debian/patches/CVE-2022-47657.patch 2023-05-23 09:28:27.000000000 +0000 @@ -0,0 +1,28 @@ +From 9f1e633184904fffc315bd35ebce76b4b42f9097 Mon Sep 17 00:00:00 2001 +From: jeanlf +Date: Sat, 17 Dec 2022 12:11:34 +0100 +Subject: [PATCH] fixed #2355 + +--- + src/media_tools/av_parsers.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/src/media_tools/av_parsers.c b/src/media_tools/av_parsers.c +index 4b63b4d69..126f825b5 100644 +--- a/src/media_tools/av_parsers.c ++++ b/src/media_tools/av_parsers.c +@@ -7659,6 +7659,11 @@ static Bool hevc_parse_vps_extension(HEVC_VPS *vps, GF_BitStream *bs) + else { + vps->layer_id_in_nuh[i] = i; + } ++ if (vps->layer_id_in_nuh[i] > MAX_LHVC_LAYERS) { ++ GF_LOG(GF_LOG_ERROR, GF_LOG_CODING, ("[HEVC] %d layers in VPS ext but only %d supported in GPAC\n", vps->layer_id_in_nuh[i], MAX_LHVC_LAYERS)); ++ vps->layer_id_in_nuh[i] = 0; ++ return -1; ++ } + vps->layer_id_in_vps[vps->layer_id_in_nuh[i]] = i; + + if (!splitting_flag) { +-- +2.39.2 + diff -Nru gpac-1.0.1+dfsg1/debian/patches/CVE-2022-47659.patch gpac-1.0.1+dfsg1/debian/patches/CVE-2022-47659.patch --- gpac-1.0.1+dfsg1/debian/patches/CVE-2022-47659.patch 1970-01-01 00:00:00.000000000 +0000 +++ gpac-1.0.1+dfsg1/debian/patches/CVE-2022-47659.patch 2023-05-18 06:09:59.000000000 +0000 @@ -0,0 +1,45 @@ +From 348d7722c1e90c7811b43b0eed5c2aca2cb8a717 Mon Sep 17 00:00:00 2001 +From: jeanlf +Date: Sat, 17 Dec 2022 12:06:16 +0100 +Subject: [PATCH] fixed #2354 + +--- + src/filters/reframe_latm.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/src/filters/reframe_latm.c b/src/filters/reframe_latm.c +index 3128104b2..b332c3f42 100644 +--- a/src/filters/reframe_latm.c ++++ b/src/filters/reframe_latm.c +@@ -30,6 +30,8 @@ + + #ifndef GPAC_DISABLE_AV_PARSERS + ++#define LATM_DMX_MAX_SIZE 8192 ++ + typedef struct + { + u64 pos; +@@ -157,7 +159,7 @@ static Bool latm_dmx_sync_frame_bs(GF_BitStream *bs, GF_M4ADecSpecInfo *acfg, u3 + size += tmp; + if (tmp!=255) break; + } +- if (gf_bs_available(bs) < size) { ++ if ((gf_bs_available(bs) < size) || (size > LATM_DMX_MAX_SIZE)){ + gf_bs_seek(bs, pos-3); + return GF_FALSE; + } +@@ -521,8 +523,8 @@ GF_Err latm_dmx_process(GF_Filter *filter) + + while (1) { + pos = (u32) gf_bs_get_position(ctx->bs); +- u8 latm_buffer[4096]; +- u32 latm_frame_size = 4096; ++ u8 latm_buffer[LATM_DMX_MAX_SIZE]; ++ u32 latm_frame_size = LATM_DMX_MAX_SIZE; + if (!latm_dmx_sync_frame_bs(ctx->bs,&ctx->acfg, &latm_frame_size, latm_buffer, NULL)) break; + + if (ctx->in_seek) { +-- +2.39.2 + diff -Nru gpac-1.0.1+dfsg1/debian/patches/CVE-2022-47660.patch gpac-1.0.1+dfsg1/debian/patches/CVE-2022-47660.patch --- gpac-1.0.1+dfsg1/debian/patches/CVE-2022-47660.patch 1970-01-01 00:00:00.000000000 +0000 +++ gpac-1.0.1+dfsg1/debian/patches/CVE-2022-47660.patch 2023-05-23 09:28:27.000000000 +0000 @@ -0,0 +1,71 @@ +From a8f438d201fb165961ba1d5d3b80daa3637735f4 Mon Sep 17 00:00:00 2001 +From: jeanlf +Date: Sat, 17 Dec 2022 12:28:51 +0100 +Subject: [PATCH] fixed #2357 + +--- + src/isomedia/isom_write.c | 23 +++++++++++++++++------ + src/media_tools/media_import.c | 2 +- + 2 files changed, 18 insertions(+), 7 deletions(-) + +Index: gpac-1.0.1+dfsg1/src/isomedia/isom_write.c +=================================================================== +--- gpac-1.0.1+dfsg1.orig/src/isomedia/isom_write.c ++++ gpac-1.0.1+dfsg1/src/isomedia/isom_write.c +@@ -4605,10 +4605,19 @@ GF_Err gf_isom_shift_cts_offset(GF_ISOFi + if (!trak->Media->information->sampleTable->CompositionOffset) return GF_BAD_PARAM; + if (!trak->Media->information->sampleTable->CompositionOffset->unpack_mode) return GF_BAD_PARAM; + +- for (i=0; iMedia->information->sampleTable->CompositionOffset->nb_entries; i++) { ++ GF_CompositionOffsetBox *ctso = trak->Media->information->sampleTable->CompositionOffset; ++ for (i=0; inb_entries; i++) { ++ s64 new_ts = ctso->entries[i].decodingOffset; ++ new_ts -= offset_shift; + /*we're in unpack mode: one entry per sample*/ +- trak->Media->information->sampleTable->CompositionOffset->entries[i].decodingOffset -= offset_shift; ++ ctso->entries[i].decodingOffset = (s32) new_ts; + } ++ if (trak->Media->mediaHeader->duration >= -offset_shift) { ++ s64 new_dur = trak->Media->mediaHeader->duration; ++ new_dur -= offset_shift; ++ if (new_dur<0) new_dur = 0; ++ trak->Media->mediaHeader->duration = (u32) new_dur; ++ } + return GF_OK; + } + +@@ -6526,7 +6535,9 @@ static GF_Err gf_isom_set_ctts_v0(GF_ISO + if (shift > 0) + { + for (i=0; inb_entries; i++) { +- ctts->entries[i].decodingOffset += shift; ++ s64 new_ts = ctts->entries[i].decodingOffset; ++ new_ts += shift; ++ ctts->entries[i].decodingOffset = (u32) shift; + } + } + } +@@ -6535,7 +6546,9 @@ static GF_Err gf_isom_set_ctts_v0(GF_ISO + cslg = trak->Media->information->sampleTable->CompositionToDecode; + shift = cslg->compositionToDTSShift; + for (i=0; inb_entries; i++) { +- ctts->entries[i].decodingOffset += shift; ++ s64 new_ts = ctts->entries[i].decodingOffset; ++ new_ts += shift; ++ ctts->entries[i].decodingOffset = (u32) shift; + } + gf_isom_box_del_parent(&trak->Media->information->sampleTable->child_boxes, (GF_Box *)cslg); + trak->Media->information->sampleTable->CompositionToDecode = NULL; +Index: gpac-1.0.1+dfsg1/src/media_tools/media_import.c +=================================================================== +--- gpac-1.0.1+dfsg1.orig/src/media_tools/media_import.c ++++ gpac-1.0.1+dfsg1/src/media_tools/media_import.c +@@ -99,7 +99,7 @@ static void gf_media_update_bitrate_ex(G + + br = (Double) (s64) gf_isom_get_media_duration(file, track); + br /= timescale; +- if (br) { ++ if (br>0) { + GF_ESD *esd = NULL; + if (!csize || !cdur) { + bitrate = (u32) ((Double) (s64)avg_rate / br); diff -Nru gpac-1.0.1+dfsg1/debian/patches/CVE-2022-47661.patch gpac-1.0.1+dfsg1/debian/patches/CVE-2022-47661.patch --- gpac-1.0.1+dfsg1/debian/patches/CVE-2022-47661.patch 1970-01-01 00:00:00.000000000 +0000 +++ gpac-1.0.1+dfsg1/debian/patches/CVE-2022-47661.patch 2023-05-23 09:28:27.000000000 +0000 @@ -0,0 +1,27 @@ +Origin: https://github.com/gpac/gpac/commit/aa8fbec874b5e040854effff5309aa445c234618 +Reviewed-by: Aron Xu + +From aa8fbec874b5e040854effff5309aa445c234618 Mon Sep 17 00:00:00 2001 +From: jeanlf +Date: Mon, 19 Dec 2022 11:50:31 +0100 +Subject: [PATCH] fixed #2358 + +diff --git a/src/media_tools/av_parsers.c b/src/media_tools/av_parsers.c +index caffb63b5..38429382f 100644 +--- a/src/media_tools/av_parsers.c ++++ b/src/media_tools/av_parsers.c +@@ -6335,7 +6335,10 @@ u32 gf_avc_reformat_sei(u8 *buffer, u32 nal_size, Bool isobmf_rewrite, AVCState + if (gf_bs_available(bs) <= 2) { + var = gf_bs_read_int(bs, 8); + if (var != 0x80) { +- GF_LOG(GF_LOG_WARNING, GF_LOG_CODING, ("[avc-h264] SEI user message has less than 2 bytes remaining but no end of sei found\n")); ++ GF_LOG(GF_LOG_WARNING, GF_LOG_CODING, ("[avc-h264] SEI user message has less than 2 bytes remaining but no end of sei found, keeping full SEI untouched\n")); ++ if (bs_dest) gf_bs_del(bs_dest); ++ gf_bs_del(bs); ++ return nal_size; + } + if (bs_dest) gf_bs_write_int(bs_dest, 0x80, 8); + break; +-- +2.39.2 + diff -Nru gpac-1.0.1+dfsg1/debian/patches/CVE-2022-47662.patch gpac-1.0.1+dfsg1/debian/patches/CVE-2022-47662.patch --- gpac-1.0.1+dfsg1/debian/patches/CVE-2022-47662.patch 1970-01-01 00:00:00.000000000 +0000 +++ gpac-1.0.1+dfsg1/debian/patches/CVE-2022-47662.patch 2023-05-23 09:28:27.000000000 +0000 @@ -0,0 +1,199 @@ +From 080a62728ccd251a7f20eaac3fda21b0716e3c9b Mon Sep 17 00:00:00 2001 +From: jeanlf +Date: Mon, 19 Dec 2022 12:25:50 +0100 +Subject: [PATCH] fixed #2359 + +--- + include/gpac/internal/isomedia_dev.h | 2 +- + src/isomedia/avc_ext.c | 51 +++++++++++++++++++++------- + src/media_tools/isom_tools.c | 4 +++ + 3 files changed, 44 insertions(+), 13 deletions(-) + +Index: gpac-1.0.1+dfsg1/include/gpac/internal/isomedia_dev.h +=================================================================== +--- gpac-1.0.1+dfsg1.orig/include/gpac/internal/isomedia_dev.h ++++ gpac-1.0.1+dfsg1/include/gpac/internal/isomedia_dev.h +@@ -922,7 +922,7 @@ typedef struct __tag_media_box + + GF_ISOSample *extracted_samp; + GF_BitStream *extracted_bs; +- ++ Bool in_nalu_rewrite; + } GF_MediaBox; + + typedef struct +Index: gpac-1.0.1+dfsg1/src/isomedia/avc_ext.c +=================================================================== +--- gpac-1.0.1+dfsg1.orig/src/isomedia/avc_ext.c ++++ gpac-1.0.1+dfsg1/src/isomedia/avc_ext.c +@@ -410,7 +410,6 @@ static void nalu_merge_ps(GF_BitStream * + } + } + +- + GF_Err gf_isom_nalu_sample_rewrite(GF_MediaBox *mdia, GF_ISOSample *sample, u32 sampleNumber, GF_MPEGVisualSampleEntryBox *entry) + { + Bool is_hevc = GF_FALSE; +@@ -430,6 +429,10 @@ GF_Err gf_isom_nalu_sample_rewrite(GF_Me + GF_ISOFile *file = mdia->mediaTrack->moov->mov; + GF_TrackReferenceTypeBox *scal = NULL; + ++ if (mdia->in_nalu_rewrite) ++ return GF_ISOM_INVALID_FILE; ++ mdia->in_nalu_rewrite = GF_TRUE; ++ + Track_FindRef(mdia->mediaTrack, GF_ISOM_REF_SCAL, &scal); + + rewrite_ps = (mdia->mediaTrack->extractor_mode & GF_ISOM_NALU_EXTRACT_INBAND_PS_FLAG) ? GF_TRUE : GF_FALSE; +@@ -461,10 +464,14 @@ GF_Err gf_isom_nalu_sample_rewrite(GF_Me + + if (!mdia->extracted_samp) { + mdia->extracted_samp = gf_isom_sample_new(); +- if (!mdia->extracted_samp) return GF_OUT_OF_MEM; ++ if (!mdia->extracted_samp) { ++ mdia->in_nalu_rewrite = GF_FALSE; ++ return GF_OUT_OF_MEM; ++ } + } + + base_samp = gf_isom_get_sample_ex(mdia->mediaTrack->moov->mov, ref_track, sampleNumber + mdia->mediaTrack->sample_count_at_seg_start, &di, mdia->extracted_samp, NULL); ++ //base sample may be null (track split) + if (base_samp && base_samp->data) { + if (!sample->alloc_size || (sample->alloc_sizedataLength+base_samp->dataLength) ) { + sample->data = gf_realloc(sample->data, sample->dataLength+base_samp->dataLength); +@@ -490,10 +497,14 @@ GF_Err gf_isom_nalu_sample_rewrite(GF_Me + + if (!mdia->extracted_samp) { + mdia->extracted_samp = gf_isom_sample_new(); +- if (!mdia->extracted_samp) return GF_OUT_OF_MEM; ++ if (!mdia->extracted_samp) { ++ mdia->in_nalu_rewrite = GF_FALSE; ++ return GF_OUT_OF_MEM; ++ } + } + + tile_samp = gf_isom_get_sample_ex(mdia->mediaTrack->moov->mov, ref_track, sampleNumber + mdia->mediaTrack->sample_count_at_seg_start, &di, mdia->extracted_samp, NULL); ++ //tile sample may be NULL (removal of tracks, ...) + if (tile_samp && tile_samp ->data) { + if (!sample->alloc_size || (sample->alloc_sizedataLength+tile_samp->dataLength) ) { + sample->data = gf_realloc(sample->data, sample->dataLength+tile_samp->dataLength); +@@ -502,7 +513,7 @@ GF_Err gf_isom_nalu_sample_rewrite(GF_Me + memcpy(sample->data + sample->dataLength, tile_samp->data, tile_samp->dataLength); + sample->dataLength += tile_samp->dataLength; + } +- } ++ } + } + } + +@@ -527,15 +538,19 @@ GF_Err gf_isom_nalu_sample_rewrite(GF_Me + if (extractor_mode != GF_ISOM_NALU_EXTRACT_LAYER_ONLY) + insert_vdrd_code = GF_FALSE; + +- if (!entry) return GF_BAD_PARAM; +- ++ if (!entry) { ++ mdia->in_nalu_rewrite = GF_FALSE; ++ return GF_BAD_PARAM; ++ } + //this is a compatible HEVC, don't insert VDRD, insert NALU delim + if (entry->lhvc_config && entry->hevc_config) + insert_vdrd_code = GF_FALSE; + + if (extractor_mode == GF_ISOM_NALU_EXTRACT_INSPECT) { +- if (!rewrite_ps && !rewrite_start_codes) ++ if (!rewrite_ps && !rewrite_start_codes) { ++ mdia->in_nalu_rewrite = GF_FALSE; + return GF_OK; ++ } + } + + nal_unit_size_field = 0; +@@ -554,6 +569,7 @@ GF_Err gf_isom_nalu_sample_rewrite(GF_Me + + /*otherwise do nothing*/ + else if (!rewrite_ps && !rewrite_start_codes && !scal && !force_sei_inspect) { ++ mdia->in_nalu_rewrite = GF_FALSE; + return GF_OK; + } + +@@ -570,8 +586,10 @@ GF_Err gf_isom_nalu_sample_rewrite(GF_Me + } + } + +- if (!nal_unit_size_field) return GF_ISOM_INVALID_FILE; +- ++ if (!nal_unit_size_field) { ++ mdia->in_nalu_rewrite = GF_FALSE; ++ return GF_ISOM_INVALID_FILE; ++ } + //setup PS rewriter + if (!mdia->nalu_ps_bs) + mdia->nalu_ps_bs = gf_bs_new(NULL, 0, GF_BITSTREAM_WRITE); +@@ -586,10 +604,16 @@ GF_Err gf_isom_nalu_sample_rewrite(GF_Me + + if (!mdia->nalu_parser) { + mdia->nalu_parser = gf_bs_new(mdia->in_sample_buffer, sample->dataLength, GF_BITSTREAM_READ); +- if (!mdia->nalu_parser && sample->data) return GF_ISOM_INVALID_FILE; ++ if (!mdia->nalu_parser && sample->data) { ++ mdia->in_nalu_rewrite = GF_FALSE; ++ return GF_ISOM_INVALID_FILE; ++ } + } else { + e = gf_bs_reassign_buffer(mdia->nalu_parser, mdia->in_sample_buffer, sample->dataLength); +- if (e) return e; ++ if (e) { ++ mdia->in_nalu_rewrite = GF_FALSE; ++ return e; ++ } + } + //setup ouput + if (!mdia->nalu_out_bs) { +@@ -677,7 +701,7 @@ GF_Err gf_isom_nalu_sample_rewrite(GF_Me + } + gf_bs_write_data(mdia->nalu_out_bs, mdia->in_sample_buffer, sample->dataLength); + gf_bs_get_content_no_truncate(mdia->nalu_out_bs, &sample->data, &sample->dataLength, &sample->alloc_size); +- ++ mdia->in_nalu_rewrite = GF_FALSE; + return GF_OK; + } + } +@@ -693,6 +717,7 @@ GF_Err gf_isom_nalu_sample_rewrite(GF_Me + } + gf_bs_write_data(mdia->nalu_out_bs, mdia->in_sample_buffer, sample->dataLength); + gf_bs_get_content_no_truncate(mdia->nalu_out_bs, &sample->data, &sample->dataLength, &sample->alloc_size); ++ mdia->in_nalu_rewrite = GF_FALSE; + return GF_OK; + } + +@@ -770,6 +795,7 @@ GF_Err gf_isom_nalu_sample_rewrite(GF_Me + if (check_cra_bla && !sample->IsRAP) { + sample->IsRAP = sap_type_from_nal_type(nal_type); + if (sei_suffix_bs) gf_bs_del(sei_suffix_bs); ++ mdia->in_nalu_rewrite = GF_FALSE; + return gf_isom_nalu_sample_rewrite(mdia, sample, sampleNumber, entry); + } + default: +@@ -852,6 +878,7 @@ exit: + if (sei_suffix_bs) + gf_bs_del(sei_suffix_bs); + ++ mdia->in_nalu_rewrite = GF_FALSE; + return e; + } + +Index: gpac-1.0.1+dfsg1/src/media_tools/isom_tools.c +=================================================================== +--- gpac-1.0.1+dfsg1.orig/src/media_tools/isom_tools.c ++++ gpac-1.0.1+dfsg1/src/media_tools/isom_tools.c +@@ -3225,6 +3225,10 @@ GF_Err gf_media_split_hevc_tiles(GF_ISOF + u32 size, nb_nalus=0, nb_nal_entries=0, last_tile_group=(u32) -1; + GF_BitStream *bs=NULL; + GF_ISOSample *sample = gf_isom_get_sample(file, track, i+1, &di); ++ if (!sample) { ++ e = gf_isom_last_error(file); ++ goto err_exit; ++ } + + data = (u8 *) sample->data; + size = sample->dataLength; diff -Nru gpac-1.0.1+dfsg1/debian/patches/CVE-2022-47663.patch gpac-1.0.1+dfsg1/debian/patches/CVE-2022-47663.patch --- gpac-1.0.1+dfsg1/debian/patches/CVE-2022-47663.patch 1970-01-01 00:00:00.000000000 +0000 +++ gpac-1.0.1+dfsg1/debian/patches/CVE-2022-47663.patch 2023-05-23 09:28:27.000000000 +0000 @@ -0,0 +1,50 @@ +From e7e8745f677010a5cb3366d5cbf39df7cffaaa2d Mon Sep 17 00:00:00 2001 +From: jeanlf +Date: Mon, 19 Dec 2022 12:26:02 +0100 +Subject: [PATCH] fixed #2360 + +--- + src/filters/reframe_h263.c | 19 +++++++++++++++++-- + 1 file changed, 17 insertions(+), 2 deletions(-) + +diff --git a/src/filters/reframe_h263.c b/src/filters/reframe_h263.c +index 40cf40699..e79b388b1 100644 +--- a/src/filters/reframe_h263.c ++++ b/src/filters/reframe_h263.c +@@ -510,7 +510,14 @@ GF_Err h263dmx_process(GF_Filter *filter) + if (current>0) { + if (!ctx->opid) { + if (ctx->bytes_in_header) { +- ctx->bytes_in_header -= current; ++ if (ctx->bytes_in_headerbytes_in_header; ++ ctx->bytes_in_header = 0; ++ start += current; ++ remain -= current; ++ } else { ++ ctx->bytes_in_header -= current; ++ } + } else { + start += current; + remain -= current; +@@ -531,8 +538,16 @@ GF_Err h263dmx_process(GF_Filter *filter) + if (byte_offset != GF_FILTER_NO_BO) { + gf_filter_pck_set_byte_offset(dst_pck, byte_offset - ctx->bytes_in_header); + } +- ctx->bytes_in_header -= current; + memcpy(pck_data, ctx->hdr_store, current); ++ //we may have a partial startcode ++ if (current>ctx->bytes_in_header) { ++ current -= ctx->bytes_in_header; ++ start += current; ++ remain -= current; ++ ctx->bytes_in_header = 0; ++ } else { ++ ctx->bytes_in_header -= current; ++ } + } else { + if (byte_offset != GF_FILTER_NO_BO) { + gf_filter_pck_set_byte_offset(dst_pck, byte_offset); +-- +2.39.2 + diff -Nru gpac-1.0.1+dfsg1/debian/patches/CVE-2023-0770.patch gpac-1.0.1+dfsg1/debian/patches/CVE-2023-0770.patch --- gpac-1.0.1+dfsg1/debian/patches/CVE-2023-0770.patch 1970-01-01 00:00:00.000000000 +0000 +++ gpac-1.0.1+dfsg1/debian/patches/CVE-2023-0770.patch 2023-05-23 09:28:27.000000000 +0000 @@ -0,0 +1,28 @@ +From c31941822ee275a35bc148382bafef1c53ec1c26 Mon Sep 17 00:00:00 2001 +From: jeanlf +Date: Wed, 23 Nov 2022 15:59:43 +0100 +Subject: [PATCH] fixed #2316 + +--- + src/scenegraph/vrml_proto.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/src/scenegraph/vrml_proto.c b/src/scenegraph/vrml_proto.c +index df30ed0df..02b92b576 100644 +--- a/src/scenegraph/vrml_proto.c ++++ b/src/scenegraph/vrml_proto.c +@@ -1292,7 +1292,10 @@ Bool gf_sg_proto_field_is_sftime_offset(GF_Node *node, GF_FieldInfo *field) + + gf_node_get_field(r->ToNode, r->ToField.fieldIndex, &inf); + /*IS to another proto*/ +- if (r->ToNode->sgprivate->tag == TAG_ProtoNode) return gf_sg_proto_field_is_sftime_offset(r->ToNode, &inf); ++ if (r->ToNode->sgprivate->tag == TAG_ProtoNode) { ++ if (r->ToNode==node) continue; ++ return gf_sg_proto_field_is_sftime_offset(r->ToNode, &inf); ++ } + /*IS to a startTime/stopTime field*/ + if (!stricmp(inf.name, "startTime") || !stricmp(inf.name, "stopTime")) return 1; + } +-- +2.39.2 + diff -Nru gpac-1.0.1+dfsg1/debian/patches/CVE-2023-0818.patch gpac-1.0.1+dfsg1/debian/patches/CVE-2023-0818.patch --- gpac-1.0.1+dfsg1/debian/patches/CVE-2023-0818.patch 1970-01-01 00:00:00.000000000 +0000 +++ gpac-1.0.1+dfsg1/debian/patches/CVE-2023-0818.patch 2023-05-23 09:28:27.000000000 +0000 @@ -0,0 +1,65 @@ +From 377ab25f3e502db2934a9cf4b54739e1c89a02ff Mon Sep 17 00:00:00 2001 +From: Aurelien David +Date: Mon, 13 Feb 2023 15:42:10 +0100 +Subject: [PATCH] fix a5efec8 to cover more cases (#2397) + +--- + src/filters/load_text.c | 20 ++++++++++++++++---- + 1 file changed, 16 insertions(+), 4 deletions(-) + +Index: gpac-1.0.1+dfsg1/src/filters/load_text.c +=================================================================== +--- gpac-1.0.1+dfsg1.orig/src/filters/load_text.c ++++ gpac-1.0.1+dfsg1/src/filters/load_text.c +@@ -246,18 +246,24 @@ char *gf_text_get_utf8_line(char *szLine + if (!unicode_type && (szLine[i] & 0x80)) { + /*non UTF8 (likely some win-CP)*/ + if ((szLine[i+1] & 0xc0) != 0x80) { ++ if (j >= GF_ARRAY_LENGTH(szLineConv)) ++ break; + szLineConv[j] = 0xc0 | ( (szLine[i] >> 6) & 0x3 ); + j++; + szLine[i] &= 0xbf; + } + /*UTF8 2 bytes char*/ + else if ( (szLine[i] & 0xe0) == 0xc0) { ++ if (j >= GF_ARRAY_LENGTH(szLineConv)) ++ break; + szLineConv[j] = szLine[i]; + i++; + j++; + } + /*UTF8 3 bytes char*/ + else if ( (szLine[i] & 0xf0) == 0xe0) { ++ if (j+1 >= GF_ARRAY_LENGTH(szLineConv)) ++ break; + szLineConv[j] = szLine[i]; + i++; + j++; +@@ -267,6 +273,8 @@ char *gf_text_get_utf8_line(char *szLine + } + /*UTF8 4 bytes char*/ + else if ( (szLine[i] & 0xf8) == 0xf0) { ++ if (j+2 >= GF_ARRAY_LENGTH(szLineConv)) ++ break; + szLineConv[j] = szLine[i]; + i++; + j++; +@@ -281,9 +289,17 @@ char *gf_text_get_utf8_line(char *szLine + continue; + } + } ++ ++ if (j >= GF_ARRAY_LENGTH(szLineConv)) ++ break; ++ + szLineConv[j] = szLine[i]; + j++; + } ++ if ( j >= GF_ARRAY_LENGTH(szLineConv) ) { ++ GF_LOG(GF_LOG_DEBUG, GF_LOG_PARSER, ("[TXTIn] Line too long to convert to utf8 (len: %d)\n", len)); ++ j = GF_ARRAY_LENGTH(szLineConv) -1 ; ++ } + szLineConv[j] = 0; + strcpy(szLine, szLineConv); + return sOK; diff -Nru gpac-1.0.1+dfsg1/debian/patches/CVE-2023-0819.patch gpac-1.0.1+dfsg1/debian/patches/CVE-2023-0819.patch --- gpac-1.0.1+dfsg1/debian/patches/CVE-2023-0819.patch 1970-01-01 00:00:00.000000000 +0000 +++ gpac-1.0.1+dfsg1/debian/patches/CVE-2023-0819.patch 2023-05-23 09:28:27.000000000 +0000 @@ -0,0 +1,28 @@ +From d067ab3ccdeaa340e8c045a0fd5bcfc22b809e8f Mon Sep 17 00:00:00 2001 +From: Aurelien David +Date: Mon, 13 Feb 2023 15:41:48 +0100 +Subject: [PATCH] mpeg2ts: add section size check (#2395) + +--- + src/media_tools/mpegts.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/src/media_tools/mpegts.c b/src/media_tools/mpegts.c +index 30fb2bb3f..7deabb630 100644 +--- a/src/media_tools/mpegts.c ++++ b/src/media_tools/mpegts.c +@@ -946,6 +946,11 @@ static void gf_m2ts_process_tdt_tot(GF_M2TS_Demuxer *ts, GF_M2TS_SECTION_ES *tdt + return; + } + ++ if (data_size < 5) { ++ GF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, ("[MPEG-2 TS] Section data size too small to read date (len: %u)\n", data_size)); ++ return; ++ } ++ + /*UTC_time - see annex C of DVB-SI ETSI EN 300468*/ + /* decodes an Modified Julian Date (MJD) into a Co-ordinated Universal Time (UTC) + See annex C of DVB-SI ETSI EN 300468 */ +-- +2.39.2 + diff -Nru gpac-1.0.1+dfsg1/debian/patches/CVE-2023-0866.patch gpac-1.0.1+dfsg1/debian/patches/CVE-2023-0866.patch --- gpac-1.0.1+dfsg1/debian/patches/CVE-2023-0866.patch 1970-01-01 00:00:00.000000000 +0000 +++ gpac-1.0.1+dfsg1/debian/patches/CVE-2023-0866.patch 2023-05-23 09:28:27.000000000 +0000 @@ -0,0 +1,35 @@ +From b964fe4226f1424cf676d5822ef898b6b01f5937 Mon Sep 17 00:00:00 2001 +From: Aurelien David +Date: Thu, 16 Feb 2023 17:34:58 +0100 +Subject: [PATCH] rfadts: add size guard on dmx (#2400) + +--- + src/filters/reframe_adts.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +Index: gpac-1.0.1+dfsg1/src/filters/reframe_adts.c +=================================================================== +--- gpac-1.0.1+dfsg1.orig/src/filters/reframe_adts.c ++++ gpac-1.0.1+dfsg1/src/filters/reframe_adts.c +@@ -256,7 +256,7 @@ static void adts_dmx_check_dur(GF_Filter + gf_filter_pid_set_property(ctx->opid, GF_PROP_PID_DURATION, & PROP_FRAC64(ctx->duration)); + } + } +- ++ + p = gf_filter_pid_get_property(ctx->ipid, GF_PROP_PID_FILE_CACHED); + if (p && p->value.boolean) ctx->file_loaded = GF_TRUE; + gf_filter_pid_set_property(ctx->opid, GF_PROP_PID_CAN_DATAREF, & PROP_BOOL(GF_TRUE ) ); +@@ -715,6 +715,12 @@ GF_Err adts_dmx_process(GF_Filter *filte + } + + if (!ctx->in_seek) { ++ ++ if (sync_pos + offset + size > remain) { ++ GF_LOG(GF_LOG_WARNING, GF_LOG_MEDIA, ("[ADTSDmx] truncated frame\n")); ++ break; ++ } ++ + dst_pck = gf_filter_pck_new_alloc(ctx->opid, size, &output); + if (ctx->src_pck) gf_filter_pck_merge_properties(ctx->src_pck, dst_pck); + diff -Nru gpac-1.0.1+dfsg1/debian/patches/CVE-2023-1448.patch gpac-1.0.1+dfsg1/debian/patches/CVE-2023-1448.patch --- gpac-1.0.1+dfsg1/debian/patches/CVE-2023-1448.patch 1970-01-01 00:00:00.000000000 +0000 +++ gpac-1.0.1+dfsg1/debian/patches/CVE-2023-1448.patch 2023-05-23 09:28:27.000000000 +0000 @@ -0,0 +1,26 @@ +From 8db20cb634a546c536c31caac94e1f74b778b463 Mon Sep 17 00:00:00 2001 +From: Aurelien David +Date: Tue, 7 Feb 2023 18:27:19 +0100 +Subject: [PATCH] m2ts: check descs_size read from input to prevent overflow + (#2388) + +--- + src/media_tools/mpegts.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +Index: gpac-1.0.1+dfsg1/src/media_tools/mpegts.c +=================================================================== +--- gpac-1.0.1+dfsg1.orig/src/media_tools/mpegts.c ++++ gpac-1.0.1+dfsg1/src/media_tools/mpegts.c +@@ -807,6 +807,11 @@ static void gf_m2ts_process_sdt(GF_M2TS_ + descs_size = ((data[pos+3]&0xf)<<8) | data[pos+4]; + pos += 5; + ++ if (pos+descs_size > data_size) { ++ GF_LOG(GF_LOG_WARNING, GF_LOG_CONTAINER, ("[MPEG-2 TS] Invalid descriptors size read from data (%u)\n")); ++ return; ++ } ++ + d_pos = 0; + while (d_pos < descs_size) { + u8 d_tag = data[pos+d_pos]; diff -Nru gpac-1.0.1+dfsg1/debian/patches/CVE-2023-1449.patch gpac-1.0.1+dfsg1/debian/patches/CVE-2023-1449.patch --- gpac-1.0.1+dfsg1/debian/patches/CVE-2023-1449.patch 1970-01-01 00:00:00.000000000 +0000 +++ gpac-1.0.1+dfsg1/debian/patches/CVE-2023-1449.patch 2023-05-23 09:28:27.000000000 +0000 @@ -0,0 +1,41 @@ +From 8ebbfd61c73d61a2913721a492e5a81fb8d9f9a9 Mon Sep 17 00:00:00 2001 +From: Aurelien David +Date: Fri, 10 Feb 2023 15:36:49 +0100 +Subject: [PATCH] av1: flush samples on parse error (#2387) + +--- + src/filters/reframe_av1.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +Index: gpac-1.0.1+dfsg1/src/filters/reframe_av1.c +=================================================================== +--- gpac-1.0.1+dfsg1.orig/src/filters/reframe_av1.c ++++ gpac-1.0.1+dfsg1/src/filters/reframe_av1.c +@@ -720,7 +720,7 @@ static GF_Err av1dmx_parse_flush_sample( + + if (!ctx->opid) + return GF_NON_COMPLIANT_BITSTREAM; +- ++ + gf_bs_get_content_no_truncate(ctx->state.bs, &ctx->state.frame_obus, &pck_size, &ctx->state.frame_obus_alloc); + + if (!pck_size) { +@@ -804,7 +804,12 @@ GF_Err av1dmx_parse_av1(GF_Filter *filte + //check pid state + av1dmx_check_pid(filter, ctx); + +- if (e) return e; ++ if (e) { ++ if (e!=GF_EOS && e!=GF_BUFFER_TOO_SMALL) { ++ av1dmx_parse_flush_sample(filter, ctx); ++ } ++ return e; ++ } + + + if (!ctx->opid) { +@@ -1114,4 +1119,3 @@ const GF_FilterRegister *av1dmx_register + return NULL; + } + #endif // GPAC_DISABLE_AV_PARSERS +- diff -Nru gpac-1.0.1+dfsg1/debian/patches/CVE-2023-1452.patch gpac-1.0.1+dfsg1/debian/patches/CVE-2023-1452.patch --- gpac-1.0.1+dfsg1/debian/patches/CVE-2023-1452.patch 1970-01-01 00:00:00.000000000 +0000 +++ gpac-1.0.1+dfsg1/debian/patches/CVE-2023-1452.patch 2023-05-23 09:28:27.000000000 +0000 @@ -0,0 +1,27 @@ +From a5efec8187de02d1f0a412140b0bf030a6747d3f Mon Sep 17 00:00:00 2001 +From: Aurelien David +Date: Tue, 7 Feb 2023 16:01:42 +0100 +Subject: [PATCH] load_text: prevent overflow on long lines conversion to utf8 + (#2386) + +--- + src/filters/load_text.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +Index: gpac-1.0.1+dfsg1/src/filters/load_text.c +=================================================================== +--- gpac-1.0.1+dfsg1.orig/src/filters/load_text.c ++++ gpac-1.0.1+dfsg1/src/filters/load_text.c +@@ -295,6 +295,12 @@ char *gf_text_get_utf8_line(char *szLine + + szLineConv[j] = szLine[i]; + j++; ++ ++ if (j >= GF_ARRAY_LENGTH(szLineConv) - 1) { ++ GF_LOG(GF_LOG_DEBUG, GF_LOG_PARSER, ("[TXTIn] Line too long to convert to utf8 (len: %d)\n", len)); ++ break; ++ } ++ + } + if ( j >= GF_ARRAY_LENGTH(szLineConv) ) { + GF_LOG(GF_LOG_DEBUG, GF_LOG_PARSER, ("[TXTIn] Line too long to convert to utf8 (len: %d)\n", len)); diff -Nru gpac-1.0.1+dfsg1/debian/patches/CVE-2023-1654.patch gpac-1.0.1+dfsg1/debian/patches/CVE-2023-1654.patch --- gpac-1.0.1+dfsg1/debian/patches/CVE-2023-1654.patch 1970-01-01 00:00:00.000000000 +0000 +++ gpac-1.0.1+dfsg1/debian/patches/CVE-2023-1654.patch 2023-05-23 09:28:27.000000000 +0000 @@ -0,0 +1,63 @@ +From 2c055153d401b8c49422971e3a0159869652d3da Mon Sep 17 00:00:00 2001 +From: jeanlf +Date: Mon, 27 Mar 2023 11:58:57 +0200 +Subject: [PATCH] fixed #2429 + +--- + src/filter_core/filter_pid.c | 29 ++++++++++++++++++++--------- + 1 file changed, 20 insertions(+), 9 deletions(-) + +Index: gpac-1.0.1+dfsg1/src/filter_core/filter_pid.c +=================================================================== +--- gpac-1.0.1+dfsg1.orig/src/filter_core/filter_pid.c ++++ gpac-1.0.1+dfsg1/src/filter_core/filter_pid.c +@@ -59,13 +59,17 @@ void gf_filter_pid_inst_del(GF_FilterPid + gf_list_del(pidinst->pck_reassembly); + if (pidinst->props) { + assert(pidinst->props->reference_count); +- if (safe_int_dec(&pidinst->props->reference_count) == 0) { +- //see \ref gf_filter_pid_merge_properties_internal for mutex +- gf_mx_p(pidinst->pid->filter->tasks_mx); +- gf_list_del_item(pidinst->pid->properties, pidinst->props); +- gf_mx_v(pidinst->pid->filter->tasks_mx); +- gf_props_del(pidinst->props); ++ gf_mx_p(pidinst->pid->filter->tasks_mx); ++ //not in parent pid, may happen when reattaching a pid inst to a different pid ++ //in this case do NOT delete the props ++ if (gf_list_find(pidinst->pid->properties, pidinst->props)>=0) { ++ if (safe_int_dec(&pidinst->props->reference_count) == 0) { ++ //see \ref gf_filter_pid_merge_properties_internal for mutex ++ gf_list_del_item(pidinst->pid->properties, pidinst->props); ++ gf_props_del(pidinst->props); ++ } + } ++ gf_mx_v(pidinst->pid->filter->tasks_mx); + } + gf_free(pidinst); + } +@@ -855,8 +859,15 @@ static GF_Err gf_filter_pid_configure(GF + if (!target->detached_pid_inst) { + target->detached_pid_inst = gf_list_new(); + } +- //detach props but don't delete them ++ //detach props + if (filter->swap_pidinst_dst->props) { ++ GF_FilterPidInst *swap_pidi = filter->swap_pidinst_dst; ++ if (safe_int_dec(&swap_pidi->props->reference_count)==0) { ++ gf_mx_p(swap_pidi->pid->filter->tasks_mx); ++ gf_list_del_item(swap_pidi->pid->properties, pidinst->props); ++ gf_mx_v(swap_pidi->pid->filter->tasks_mx); ++ gf_props_del(pidinst->props); ++ } + filter->swap_pidinst_dst->props = NULL; + } + filter->swap_pidinst_dst->pid = NULL; +@@ -1045,7 +1056,7 @@ void gf_filter_pid_detach_task(GF_FSTask + //first connection of this PID to this filter + if (!pidinst) { + GF_LOG(GF_LOG_ERROR, GF_LOG_FILTER, ("Trying to detach PID %s not found in filter %s inputs\n", pid->name, filter->name)); +- assert(!new_chain_input->swap_pidinst_dst); ++ //when swaping encoder, we may have swap_pidinst_dst not NULL so only check swap_pidinst_src + assert(!new_chain_input->swap_pidinst_src); + new_chain_input->swap_needs_init = GF_FALSE; + return; diff -Nru gpac-1.0.1+dfsg1/debian/patches/CVE-2023-23143.patch gpac-1.0.1+dfsg1/debian/patches/CVE-2023-23143.patch --- gpac-1.0.1+dfsg1/debian/patches/CVE-2023-23143.patch 1970-01-01 00:00:00.000000000 +0000 +++ gpac-1.0.1+dfsg1/debian/patches/CVE-2023-23143.patch 2023-05-23 11:42:05.000000000 +0000 @@ -0,0 +1,34 @@ +From af6a5e7a96ee01a139cce6c9e4edfc069aad17a6 Mon Sep 17 00:00:00 2001 +From: jeanlf +Date: Wed, 4 Jan 2023 10:56:03 +0100 +Subject: [PATCH] fixed #2366 + +--- + src/media_tools/av_parsers.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +Index: gpac-1.0.1+dfsg1/src/media_tools/av_parsers.c +=================================================================== +--- gpac-1.0.1+dfsg1.orig/src/media_tools/av_parsers.c ++++ gpac-1.0.1+dfsg1/src/media_tools/av_parsers.c +@@ -5558,9 +5558,10 @@ static s32 avc_parse_slice(GF_BitStream + if (si->slice_type > 9) return -1; + + pps_id = gf_bs_get_ue(bs); +- if ((pps_id < 0) || (pps_id > 255)) return -1; ++ if ((pps_id < 0) || (pps_id >= 255)) return -1; + si->pps = &avc->pps[pps_id]; + if (!si->pps->slice_group_count) return -2; ++ if (si->pps->sps_id>=32) return -1; + si->sps = &avc->sps[si->pps->sps_id]; + if (!si->sps->log2_max_frame_num) return -2; + avc->sps_active_idx = si->pps->sps_id; +@@ -5668,7 +5669,7 @@ static s32 svc_parse_slice(GF_BitStream + if (si->slice_type > 9) return -1; + + pps_id = gf_bs_get_ue(bs); +- if ((pps_id < 0) || (pps_id > 255)) ++ if ((pps_id < 0) || (pps_id >= 255)) + return -1; + si->pps = &avc->pps[pps_id]; + si->pps->id = pps_id; diff -Nru gpac-1.0.1+dfsg1/debian/patches/CVE-2023-23144.patch gpac-1.0.1+dfsg1/debian/patches/CVE-2023-23144.patch --- gpac-1.0.1+dfsg1/debian/patches/CVE-2023-23144.patch 1970-01-01 00:00:00.000000000 +0000 +++ gpac-1.0.1+dfsg1/debian/patches/CVE-2023-23144.patch 2023-05-23 11:45:49.000000000 +0000 @@ -0,0 +1,34 @@ +From 3a2458a49b3e6399709d456d7b35e7a6f50cfb86 Mon Sep 17 00:00:00 2001 +From: jeanlf +Date: Wed, 4 Jan 2023 11:25:11 +0100 +Subject: [PATCH] fixed #2364 + +--- + src/bifs/unquantize.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/bifs/unquantize.c b/src/bifs/unquantize.c +index a43df12f0..008a83098 100644 +--- a/src/bifs/unquantize.c ++++ b/src/bifs/unquantize.c +@@ -2,7 +2,7 @@ + * GPAC - Multimedia Framework C SDK + * + * Authors: Jean Le Feuvre +- * Copyright (c) Telecom ParisTech 2000-2012 ++ * Copyright (c) Telecom ParisTech 2000-2023 + * All rights reserved + * + * This file is part of GPAC / BIFS codec sub-project +@@ -284,7 +284,7 @@ GF_Err Q_DecCoordOnUnitSphere(GF_BifsDecoder *codec, GF_BitStream *bs, u32 NbBit + s32 value; + Fixed tang[4], delta; + s32 dir; +- ++ if (NbBits>32) return GF_NON_COMPLIANT_BITSTREAM; + if (NbComp != 2 && NbComp != 3) return GF_BAD_PARAM; + + //only 2 or 3 comp in the quantized version +-- +2.39.2 + diff -Nru gpac-1.0.1+dfsg1/debian/patches/CVE-2023-23145.patch gpac-1.0.1+dfsg1/debian/patches/CVE-2023-23145.patch --- gpac-1.0.1+dfsg1/debian/patches/CVE-2023-23145.patch 1970-01-01 00:00:00.000000000 +0000 +++ gpac-1.0.1+dfsg1/debian/patches/CVE-2023-23145.patch 2023-05-23 11:49:26.000000000 +0000 @@ -0,0 +1,24 @@ +From 4ade98128cbc41d5115b97a41ca2e59529c8dd5f Mon Sep 17 00:00:00 2001 +From: jeanlf +Date: Wed, 4 Jan 2023 11:31:29 +0100 +Subject: [PATCH] fixed #2365 + +--- + src/laser/lsr_dec.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +Index: gpac-1.0.1+dfsg1/src/laser/lsr_dec.c +=================================================================== +--- gpac-1.0.1+dfsg1.orig/src/laser/lsr_dec.c ++++ gpac-1.0.1+dfsg1/src/laser/lsr_dec.c +@@ -1483,8 +1483,8 @@ static void lsr_read_rare_full(GF_LASeRC + } else { + da->type=SVG_STROKEDASHARRAY_ARRAY; + da->array.count = lsr_read_vluimsbf5(lsr, "len"); +- da->array.vals = (Fixed*)gf_malloc(sizeof(Fixed)*da->array.count); +- da->array.units = (u8*)gf_malloc(sizeof(u8)*da->array.count); ++ da->array.vals = (Fixed*)gf_realloc(da->array.vals, sizeof(Fixed)*da->array.count); ++ da->array.units = (u8*)gf_realloc(da->array.units, sizeof(u8)*da->array.count); + for (j=0; jarray.count; j++) { + da->array.vals[j] = lsr_read_fixed_16_8(lsr, "dash"); + da->array.units[j] = 0; diff -Nru gpac-1.0.1+dfsg1/debian/patches/CVE-2023-2837.patch gpac-1.0.1+dfsg1/debian/patches/CVE-2023-2837.patch --- gpac-1.0.1+dfsg1/debian/patches/CVE-2023-2837.patch 1970-01-01 00:00:00.000000000 +0000 +++ gpac-1.0.1+dfsg1/debian/patches/CVE-2023-2837.patch 2023-05-23 09:28:27.000000000 +0000 @@ -0,0 +1,51 @@ +From 6f28c4cd607d83ce381f9b4a9f8101ca1e79c611 Mon Sep 17 00:00:00 2001 +From: jeanlf +Date: Mon, 22 May 2023 17:35:19 +0200 +Subject: [PATCH] fixed #2473 + +--- + src/utils/xml_parser.c | 13 +++++++++++-- + 1 file changed, 11 insertions(+), 2 deletions(-) + +diff --git a/src/utils/xml_parser.c b/src/utils/xml_parser.c +index b1b149152..49df33816 100644 +--- a/src/utils/xml_parser.c ++++ b/src/utils/xml_parser.c +@@ -191,6 +191,7 @@ struct _tag_sax_parser + GF_XMLAttribute *attrs; + GF_XMLSaxAttribute *sax_attrs; + u32 nb_attrs, nb_alloc_attrs; ++ u32 ent_rec_level; + }; + + static GF_XMLSaxAttribute *xml_get_sax_attribute(GF_SAXParser *parser) +@@ -902,7 +903,14 @@ restart: + parser->line_size = 0; + parser->elt_start_pos = 0; + parser->sax_state = SAX_STATE_TEXT_CONTENT; +- e = gf_xml_sax_parse_intern(parser, orig_buf); ++ parser->ent_rec_level++; ++ if (parser->ent_rec_level>100) { ++ GF_LOG(GF_LOG_WARNING, GF_LOG_CORE, ("[XML] Too many recursions in entity solving, max 100 allowed\n")); ++ e = GF_NOT_SUPPORTED; ++ } else { ++ e = gf_xml_sax_parse_intern(parser, orig_buf); ++ parser->ent_rec_level--; ++ } + gf_free(orig_buf); + return e; + } +@@ -1075,8 +1083,9 @@ static GF_Err gf_xml_sax_parse_intern(GF_SAXParser *parser, char *current) + /*append entity*/ + line_num = parser->line; + xml_sax_append_string(parser, ent->value); +- xml_sax_parse(parser, GF_TRUE); ++ GF_Err e = xml_sax_parse(parser, GF_TRUE); + parser->line = line_num; ++ if (e) return e; + + } + xml_sax_append_string(parser, current); +-- +2.39.2 + diff -Nru gpac-1.0.1+dfsg1/debian/patches/CVE-2023-2838.patch gpac-1.0.1+dfsg1/debian/patches/CVE-2023-2838.patch --- gpac-1.0.1+dfsg1/debian/patches/CVE-2023-2838.patch 1970-01-01 00:00:00.000000000 +0000 +++ gpac-1.0.1+dfsg1/debian/patches/CVE-2023-2838.patch 2023-05-23 09:28:27.000000000 +0000 @@ -0,0 +1,26 @@ +From c88df2e202efad214c25b4e586f243b2038779ba Mon Sep 17 00:00:00 2001 +From: jeanlf +Date: Mon, 22 May 2023 17:40:44 +0200 +Subject: [PATCH] fixed #2475 + +--- + src/filter_core/filter_session.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/src/filter_core/filter_session.c b/src/filter_core/filter_session.c +index 1cee6fd45..bcef8cfc0 100644 +--- a/src/filter_core/filter_session.c ++++ b/src/filter_core/filter_session.c +@@ -4145,6 +4145,9 @@ GF_Err gf_filter_get_stats(GF_Filter *f, GF_FilterStats *stats) + if ((f->num_input_pids!=1) && f->num_output_pids) + continue; + ++ if (!pidi->pid) ++ continue; ++ + if (!stats->codecid) + stats->codecid = pidi->pid->codecid; + if (!stats->stream_type) +-- +2.39.2 + diff -Nru gpac-1.0.1+dfsg1/debian/patches/CVE-2023-2839.patch gpac-1.0.1+dfsg1/debian/patches/CVE-2023-2839.patch --- gpac-1.0.1+dfsg1/debian/patches/CVE-2023-2839.patch 1970-01-01 00:00:00.000000000 +0000 +++ gpac-1.0.1+dfsg1/debian/patches/CVE-2023-2839.patch 2023-05-23 09:28:27.000000000 +0000 @@ -0,0 +1,31 @@ +From 047f96fb39e6bf70cb9f344093f5886e51dce0ac Mon Sep 17 00:00:00 2001 +From: jeanlf +Date: Mon, 22 May 2023 17:48:08 +0200 +Subject: [PATCH] fixed #2476 + +--- + src/filters/reframe_nalu.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +Index: gpac-1.0.1+dfsg1/src/filters/reframe_nalu.c +=================================================================== +--- gpac-1.0.1+dfsg1.orig/src/filters/reframe_nalu.c ++++ gpac-1.0.1+dfsg1/src/filters/reframe_nalu.c +@@ -1105,10 +1105,14 @@ void naludmx_create_avc_decoder_config(G + else + DeltaTfiDivisorIdx = (ctx->avc_state->sei.pic_timing.pic_struct+1) / 2; + } +- if (!ctx->timescale && sps->vui.time_scale && sps->vui.num_units_in_tick) { +- ctx->cur_fps.num = 2 * sps->vui.time_scale; +- ctx->cur_fps.den = 2 * sps->vui.num_units_in_tick * DeltaTfiDivisorIdx; + ++ if (!ctx->timescale) { ++ u32 fps_num = 2 * sps->vui.time_scale; ++ u32 fps_den = 2 * sps->vui.num_units_in_tick * DeltaTfiDivisorIdx; ++ if (fps_num && fps_den) { ++ ctx->cur_fps.num = fps_num; ++ ctx->cur_fps.den = fps_den; ++ } + if (!ctx->fps.num && ctx->dts==ctx->fps.den) + ctx->dts = ctx->cur_fps.den; + } diff -Nru gpac-1.0.1+dfsg1/debian/patches/CVE-2023-2840.patch gpac-1.0.1+dfsg1/debian/patches/CVE-2023-2840.patch --- gpac-1.0.1+dfsg1/debian/patches/CVE-2023-2840.patch 1970-01-01 00:00:00.000000000 +0000 +++ gpac-1.0.1+dfsg1/debian/patches/CVE-2023-2840.patch 2023-05-23 11:37:25.000000000 +0000 @@ -0,0 +1,26 @@ +From ba59206b3225f0e8e95a27eff41cb1c49ddf9a37 Mon Sep 17 00:00:00 2001 +From: jeanlf +Date: Mon, 22 May 2023 17:37:24 +0200 +Subject: [PATCH] fixed #2474 + +--- + src/isomedia/movie_fragments.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/src/isomedia/movie_fragments.c b/src/isomedia/movie_fragments.c +index b742078d1..41d0717a4 100644 +--- a/src/isomedia/movie_fragments.c ++++ b/src/isomedia/movie_fragments.c +@@ -2876,7 +2876,8 @@ GF_Err gf_isom_fragment_add_sample_ex(GF_ISOFile *movie, GF_ISOTrackID TrackID, + //rewrite OD frames + if (traf->trex->track->Media->handler->handlerType == GF_ISOM_MEDIA_OD) { + //this may fail if dependencies are not well done ... +- Media_ParseODFrame(traf->trex->track->Media, sample, &od_sample); ++ GF_Err e = Media_ParseODFrame(traf->trex->track->Media, sample, &od_sample); ++ if (!od_sample) return e; + sample = od_sample; + } + +-- +2.39.2 + diff -Nru gpac-1.0.1+dfsg1/debian/patches/series gpac-1.0.1+dfsg1/debian/patches/series --- gpac-1.0.1+dfsg1/debian/patches/series 2021-08-19 21:53:10.000000000 +0000 +++ gpac-1.0.1+dfsg1/debian/patches/series 2023-05-23 11:46:45.000000000 +0000 @@ -2,6 +2,7 @@ dont-err-build-on-uknown-system.patch CVE-2021-30014_CVE-2021-30020_CVE-2021-30022.patch CVE-2020-35979.patch +CVE-2020-35980.patch CVE-2020-35981.patch CVE-2020-35982.patch CVE-2021-28300.patch @@ -19,3 +20,95 @@ talos-2021-1297.patch talos-2021-1298.patch talos-2021-1299.patch +talos-2021-1297-2.patch +CVE-2021-4043.patch +CVE-2021-36412.patch +CVE-2021-36414.patch +CVE-2021-36417.patch +CVE-2021-40559.patch +CVE-2021-40562.patch +CVE-2021-40563.patch +CVE-2021-40564.patch +CVE-2021-40565.patch +CVE-2021-40566.patch +CVE-2021-40567.patch +CVE-2021-40568.patch +CVE-2022-47659.patch +CVE-2021-40569.patch +CVE-2021-40570.patch +CVE-2021-40571.patch +CVE-2021-40572.patch +CVE-2021-40574.patch +CVE-2021-40575.patch +CVE-2021-40576_40606_40609.patch +CVE-2021-40592.patch +CVE-2021-40607.patch +CVE-2021-40608.patch +CVE-2021-40944.patch +CVE-2021-41456.patch +CVE-2021-41457.patch +CVE-2021-41459.patch +CVE-2021-33361.patch +CVE-2021-33363.patch +CVE-2021-33364.patch +CVE-2021-33365.patch +CVE-2021-33366.patch +CVE-2021-45262.patch +CVE-2021-45263.patch +CVE-2021-45267.patch +CVE-2021-45291.patch +CVE-2021-45292.patch +CVE-2021-45297.patch +CVE-2021-45760.patch +CVE-2021-45762.patch +CVE-2021-45763.patch +CVE-2021-45764.patch +CVE-2021-45767.patch +CVE-2021-45831.patch +CVE-2021-46038to46046_46049_46051.patch +CVE-2021-46047.patch +CVE-2022-45202.patch +CVE-2022-1035.patch +CVE-2022-1222.patch +CVE-2022-1441.patch +CVE-2022-1795.patch +CVE-2022-2454.patch +CVE-2022-3222.patch +CVE-2022-3957.patch +CVE-2022-4202.patch +CVE-2022-24574.patch +CVE-2022-24577.patch +CVE-2022-24578.patch +CVE-2022-26967_partial.patch +CVE-2022-27145.patch +CVE-2022-27147.patch +CVE-2022-29537.patch +CVE-2022-36190_36191.patch +CVE-2022-38530.patch +CVE-2022-43255.patch +CVE-2022-45283.patch +CVE-2022-45343.patch +CVE-2022-47086.patch +CVE-2022-47091.patch +CVE-2022-47094.patch +CVE-2022-47095.patch +CVE-2022-47657.patch +CVE-2022-47660.patch +CVE-2022-47661.patch +CVE-2022-47662.patch +CVE-2022-47663.patch +CVE-2023-0770.patch +CVE-2023-0818.patch +CVE-2023-0819.patch +CVE-2023-0866.patch +CVE-2023-1448.patch +CVE-2023-1449.patch +CVE-2023-1452.patch +CVE-2023-1654.patch +CVE-2023-2837.patch +CVE-2023-2838.patch +CVE-2023-2839.patch +CVE-2023-2840.patch +CVE-2023-23143.patch +CVE-2023-23144.patch +CVE-2023-23145.patch diff -Nru gpac-1.0.1+dfsg1/debian/patches/talos-2021-1297-2.patch gpac-1.0.1+dfsg1/debian/patches/talos-2021-1297-2.patch --- gpac-1.0.1+dfsg1/debian/patches/talos-2021-1297-2.patch 1970-01-01 00:00:00.000000000 +0000 +++ gpac-1.0.1+dfsg1/debian/patches/talos-2021-1297-2.patch 2023-04-26 17:01:12.000000000 +0000 @@ -0,0 +1,13 @@ +Backport of https://github.com/gpac/gpac/commit/592ba2689a3f2fc787371eda490fde4f84e60315 + +--- gpac-1.0.1+dfsg1.orig/src/isomedia/box_code_base.c ++++ gpac-1.0.1+dfsg1/src/isomedia/box_code_base.c +@@ -5509,7 +5509,7 @@ GF_Err stss_box_read(GF_Box *s, GF_BitSt + + ISOM_DECREASE_SIZE(ptr, 4); + ptr->nb_entries = gf_bs_read_u32(bs); +- if (ptr->size < ptr->nb_entries * 4) { ++ if (ptr->size < ptr->nb_entries * 4 || (u64)ptr->nb_entries > (u64)SIZE_MAX/sizeof(u32)) { + GF_LOG(GF_LOG_ERROR, GF_LOG_CONTAINER, ("[iso file] Invalid number of entries %d in stss\n", ptr->nb_entries)); + return GF_ISOM_INVALID_FILE; + }