From: "Andreas Sturmlechner" <asturm@gentoo.org>
To: gentoo-commits@lists.gentoo.org
Subject: [gentoo-commits] repo/gentoo:master commit in: media-libs/libquicktime/files/, media-libs/libquicktime/
Date: Tue, 18 Sep 2018 15:11:04 +0000 (UTC) [thread overview]
Message-ID: <1537283265.c8d9d005d305c0d4a8232649e3ec93535c1bacca.asturm@gentoo> (raw)
commit: c8d9d005d305c0d4a8232649e3ec93535c1bacca
Author: Andreas Sturmlechner <asturm <AT> gentoo <DOT> org>
AuthorDate: Tue Sep 18 14:54:25 2018 +0000
Commit: Andreas Sturmlechner <asturm <AT> gentoo <DOT> org>
CommitDate: Tue Sep 18 15:07:45 2018 +0000
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c8d9d005
media-libs/libquicktime: Fix CVE-2017-9122..9128
Bug: https://bugs.gentoo.org/634806
Package-Manager: Portage-2.3.49, Repoman-2.3.10
.../libquicktime-1.2.4-CVE-2017-9122_et_al.patch | 151 +++++++++++++++++++++
.../libquicktime/libquicktime-1.2.4-r3.ebuild | 1 +
2 files changed, 152 insertions(+)
diff --git a/media-libs/libquicktime/files/libquicktime-1.2.4-CVE-2017-9122_et_al.patch b/media-libs/libquicktime/files/libquicktime-1.2.4-CVE-2017-9122_et_al.patch
new file mode 100644
index 00000000000..06fb7b33758
--- /dev/null
+++ b/media-libs/libquicktime/files/libquicktime-1.2.4-CVE-2017-9122_et_al.patch
@@ -0,0 +1,151 @@
+From: Burkhard Plaum <plaum@ipf.uni-stuttgart.de>
+Origin: https://sourceforge.net/p/libquicktime/mailman/libquicktime-devel/?viewmonth=201706
+
+Hi,
+
+I committed some (mostly trivial) updates to CVS. The following CVE's
+are fixed and/or no longer reproducible:
+
+CVE-2017-9122
+CVE-2017-9123
+CVE-2017-9124
+CVE-2017-9125
+CVE-2017-9126
+CVE-2017-9127
+CVE-2017-9128
+
+I was a bit surprised that one simple sanity check fixes a whole bunch of files.
+
+So it could be, that the problems are still there, but better hidden since the
+critical code isn't executed anymore with the sample files I got.
+
+If someone encounters more crashes, feel free to report them.
+
+Burkhard
+
+--- a/include/lqt_funcprotos.h
++++ b/include/lqt_funcprotos.h
+@@ -1345,9 +1345,9 @@ int quicktime_write_int32_le(quicktime_t
+ int quicktime_write_char32(quicktime_t *file, char *string);
+ float quicktime_read_fixed16(quicktime_t *file);
+ int quicktime_write_fixed16(quicktime_t *file, float number);
+-unsigned long quicktime_read_uint32(quicktime_t *file);
+-long quicktime_read_int32(quicktime_t *file);
+-long quicktime_read_int32_le(quicktime_t *file);
++uint32_t quicktime_read_uint32(quicktime_t *file);
++int32_t quicktime_read_int32(quicktime_t *file);
++int32_t quicktime_read_int32_le(quicktime_t *file);
+ int64_t quicktime_read_int64(quicktime_t *file);
+ int64_t quicktime_read_int64_le(quicktime_t *file);
+ long quicktime_read_int24(quicktime_t *file);
+--- a/src/atom.c
++++ b/src/atom.c
+@@ -131,6 +131,9 @@ int quicktime_atom_read_header(quicktime
+ atom->size = read_size64(header);
+ atom->end = atom->start + atom->size;
+ }
++/* Avoid broken files */
++ if(atom->end > file->total_length)
++ result = 1;
+ }
+
+
+--- a/src/lqt_quicktime.c
++++ b/src/lqt_quicktime.c
+@@ -1788,8 +1788,8 @@ int quicktime_read_info(quicktime_t *fil
+ quicktime_set_position(file, start_position);
+ free(temp);
+
+- quicktime_read_moov(file, &file->moov, &leaf_atom);
+- got_header = 1;
++ if(!quicktime_read_moov(file, &file->moov, &leaf_atom))
++ got_header = 1;
+ }
+ else
+ quicktime_atom_skip(file, &leaf_atom);
+--- a/src/moov.c
++++ b/src/moov.c
+@@ -218,7 +218,8 @@ int quicktime_read_moov(quicktime_t *fil
+ if(quicktime_atom_is(&leaf_atom, "trak"))
+ {
+ quicktime_trak_t *trak = quicktime_add_trak(file);
+- quicktime_read_trak(file, trak, &leaf_atom);
++ if(quicktime_read_trak(file, trak, &leaf_atom))
++ return 1;
+ }
+ else
+ if(quicktime_atom_is(&leaf_atom, "udta"))
+--- a/src/trak.c
++++ b/src/trak.c
+@@ -269,6 +269,14 @@ int quicktime_read_trak(quicktime_t *fil
+ else quicktime_atom_skip(file, &leaf_atom);
+ } while(quicktime_position(file) < trak_atom->end);
+
++ /* Do some sanity checks to prevent later crashes */
++ if(trak->mdia.minf.is_video || trak->mdia.minf.is_video)
++ {
++ if(!trak->mdia.minf.stbl.stsc.table ||
++ !trak->mdia.minf.stbl.stco.table)
++ return 1;
++ }
++
+ #if 1
+ if(trak->mdia.minf.is_video &&
+ quicktime_match_32(trak->mdia.minf.stbl.stsd.table[0].format, "drac"))
+--- a/src/util.c
++++ b/src/util.c
+@@ -647,10 +647,10 @@ int quicktime_write_fixed16(quicktime_t
+ return quicktime_write_data(file, data, 2);
+ }
+
+-unsigned long quicktime_read_uint32(quicktime_t *file)
++uint32_t quicktime_read_uint32(quicktime_t *file)
+ {
+- unsigned long result;
+- unsigned long a, b, c, d;
++ uint32_t result;
++ uint32_t a, b, c, d;
+ uint8_t data[4];
+
+ quicktime_read_data(file, data, 4);
+@@ -663,10 +663,10 @@ unsigned long quicktime_read_uint32(quic
+ return result;
+ }
+
+-long quicktime_read_int32(quicktime_t *file)
++int32_t quicktime_read_int32(quicktime_t *file)
+ {
+- unsigned long result;
+- unsigned long a, b, c, d;
++ uint32_t result;
++ uint32_t a, b, c, d;
+ uint8_t data[4];
+
+ quicktime_read_data(file, data, 4);
+@@ -676,13 +676,13 @@ long quicktime_read_int32(quicktime_t *f
+ d = data[3];
+
+ result = (a << 24) | (b << 16) | (c << 8) | d;
+- return (long)result;
++ return (int32_t)result;
+ }
+
+-long quicktime_read_int32_le(quicktime_t *file)
++int32_t quicktime_read_int32_le(quicktime_t *file)
+ {
+- unsigned long result;
+- unsigned long a, b, c, d;
++ uint32_t result;
++ uint32_t a, b, c, d;
+ uint8_t data[4];
+
+ quicktime_read_data(file, data, 4);
+@@ -692,7 +692,7 @@ long quicktime_read_int32_le(quicktime_t
+ d = data[3];
+
+ result = (d << 24) | (c << 16) | (b << 8) | a;
+- return (long)result;
++ return (int32_t)result;
+ }
+
+ int64_t quicktime_read_int64(quicktime_t *file)
diff --git a/media-libs/libquicktime/libquicktime-1.2.4-r3.ebuild b/media-libs/libquicktime/libquicktime-1.2.4-r3.ebuild
index 69f1b64818e..e4c2bea8920 100644
--- a/media-libs/libquicktime/libquicktime-1.2.4-r3.ebuild
+++ b/media-libs/libquicktime/libquicktime-1.2.4-r3.ebuild
@@ -61,6 +61,7 @@ PATCHES=(
"${FILESDIR}"/${P}-ffmpeg2.patch
"${FILESDIR}"/${P}-ffmpeg29.patch
"${FILESDIR}"/${P}-CVE-2016-2399.patch
+ "${FILESDIR}"/${P}-CVE-2017-9122_et_al.patch
)
src_prepare() {
next reply other threads:[~2018-09-18 15:11 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-09-18 15:11 Andreas Sturmlechner [this message]
-- strict thread matches above, loose matches on Subject: below --
2025-06-12 11:18 [gentoo-commits] repo/gentoo:master commit in: media-libs/libquicktime/files/, media-libs/libquicktime/ Sam James
2022-10-25 12:15 Sam James
2015-09-16 9:34 Alexis Ballier
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1537283265.c8d9d005d305c0d4a8232649e3ec93535c1bacca.asturm@gentoo \
--to=asturm@gentoo.org \
--cc=gentoo-commits@lists.gentoo.org \
--cc=gentoo-dev@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox