diff --git a/CVE-2022-3718.patch b/CVE-2022-3718.patch new file mode 100644 index 0000000000000000000000000000000000000000..9b982329f8580edba235cdffed87efed5c2a7dc3 --- /dev/null +++ b/CVE-2022-3718.patch @@ -0,0 +1,188 @@ +From 459910c36a21369c09b75bcfa82f287c9da56abf Mon Sep 17 00:00:00 2001 +From: Kevin Backhouse +Date: Sat, 8 Oct 2022 21:40:04 +0100 +Subject: [PATCH] Credit to OSS-Fuzz: + https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=51751 Credit to + OSS-Fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=52053 Avoid + null pointer deref and heap buffer overflow. + +--- + src/quicktimevideo.cpp | 41 ++++++++---------- + test/data/issue_2376_poc.mp4 | Bin 0 -> 99 bytes + test/data/issue_2377_poc.mp4 | Bin 0 -> 225 bytes + tests/bugfixes/github/test_issue_2376.py | 13 ++++++ + tests/bugfixes/github/test_issue_2377.py | 17 ++++++++ + .../test_regression_allfiles.py | 2 + + 6 files changed, 49 insertions(+), 24 deletions(-) + create mode 100644 test/data/issue_2376_poc.mp4 + create mode 100644 test/data/issue_2377_poc.mp4 + create mode 100644 tests/bugfixes/github/test_issue_2376.py + create mode 100644 tests/bugfixes/github/test_issue_2377.py + +diff --git a/src/quicktimevideo.cpp b/src/quicktimevideo.cpp +index 352fe4b0de..fa567ecaaa 100644 +--- a/src/quicktimevideo.cpp ++++ b/src/quicktimevideo.cpp +@@ -575,6 +575,14 @@ void QuickTimeVideo::decodeBlock(std::string const& entered_from) { + tagDecoder(buf, newsize); + } // QuickTimeVideo::decodeBlock + ++static std::string readString(BasicIo& io, size_t size) { ++ enforce(size <= io.size() - io.tell(), Exiv2::ErrorCode::kerCorruptedMetadata); ++ Exiv2::DataBuf str(size + 1); ++ io.readOrThrow(str.data(), size); ++ str.write_uint8(size, 0); // nul-terminate string ++ return Exiv2::toString(str.data()); ++} ++ + void QuickTimeVideo::tagDecoder(Exiv2::DataBuf& buf, size_t size) { + assert(buf.size() > 4); + +@@ -626,30 +634,21 @@ void QuickTimeVideo::tagDecoder(Exiv2::DataBuf& buf, size_t size) { + keysTagDecoder(size); + + else if (equalsQTimeTag(buf, "url ")) { +- Exiv2::DataBuf url(size + 1); +- io_->readOrThrow(url.data(), size); +- url.write_uint8(size, 0); + if (currentStream_ == Video) +- xmpData_["Xmp.video.URL"] = Exiv2::toString(url.data()); ++ xmpData_["Xmp.video.URL"] = readString(*io_, size); + else if (currentStream_ == Audio) +- xmpData_["Xmp.audio.URL"] = Exiv2::toString(url.data()); ++ xmpData_["Xmp.audio.URL"] = readString(*io_, size); + } + + else if (equalsQTimeTag(buf, "urn ")) { +- Exiv2::DataBuf urn(size + 1); +- io_->readOrThrow(urn.data(), size); +- urn.write_uint8(size, 0); + if (currentStream_ == Video) +- xmpData_["Xmp.video.URN"] = Exiv2::toString(urn.data()); ++ xmpData_["Xmp.video.URN"] = readString(*io_, size); + else if (currentStream_ == Audio) +- xmpData_["Xmp.audio.URN"] = Exiv2::toString(urn.data()); ++ xmpData_["Xmp.audio.URN"] = readString(*io_, size); + } + + else if (equalsQTimeTag(buf, "dcom")) { +- Exiv2::DataBuf dcom(size + 1); +- io_->readOrThrow(dcom.data(), size); +- dcom.write_uint8(size, 0); +- xmpData_["Xmp.video.Compressor"] = Exiv2::toString(dcom.data()); ++ xmpData_["Xmp.video.Compressor"] = readString(*io_, size); + } + + else if (equalsQTimeTag(buf, "smhd")) { +@@ -782,6 +781,7 @@ void QuickTimeVideo::CameraTagsDecoder(size_t size_external) { + xmpData_["Xmp.video.FocalLength"] = buf.read_uint32(0, littleEndian) / (double)buf2.read_uint32(0, littleEndian); + io_->seek(static_cast(95), BasicIo::cur); + io_->readOrThrow(buf.data(), 48); ++ buf.write_uint8(48, 0); + xmpData_["Xmp.video.Software"] = Exiv2::toString(buf.data()); + io_->readOrThrow(buf.data(), 4); + xmpData_["Xmp.video.ISO"] = buf.read_uint32(0, littleEndian); +@@ -829,8 +829,8 @@ void QuickTimeVideo::userDataDecoder(size_t size_external) { + + else if (equalsQTimeTag(buf, "CNCV") || equalsQTimeTag(buf, "CNFV") || equalsQTimeTag(buf, "CNMN") || + equalsQTimeTag(buf, "NCHD") || equalsQTimeTag(buf, "FFMV")) { +- io_->readOrThrow(buf.data(), size - 8); +- xmpData_[exvGettext(tv->label_)] = Exiv2::toString(buf.data()); ++ enforce(tv, Exiv2::ErrorCode::kerCorruptedMetadata); ++ xmpData_[exvGettext(tv->label_)] = readString(*io_, size - 8); + } + + else if (equalsQTimeTag(buf, "CMbo") || equalsQTimeTag(buf, "Cmbo")) { +@@ -845,15 +845,8 @@ void QuickTimeVideo::userDataDecoder(size_t size_external) { + } + + else if (tv) { +- const size_t tv_size = size - 12; +- if (tv_size >= buf.size()) { +- enforce(tv_size <= io_->size() - io_->tell(), Exiv2::ErrorCode::kerCorruptedMetadata); +- buf.resize(tv_size + 1); +- } + io_->readOrThrow(buf.data(), 4); +- io_->readOrThrow(buf.data(), tv_size); +- buf.write_uint8(tv_size, 0); // nul-terminate string +- xmpData_[exvGettext(tv->label_)] = Exiv2::toString(buf.data()); ++ xmpData_[exvGettext(tv->label_)] = readString(*io_, size - 12); + } + + else if (td) +diff --git a/test/data/issue_2376_poc.mp4 b/test/data/issue_2376_poc.mp4 +new file mode 100644 +index 0000000000000000000000000000000000000000..fc2c61bd66ea172abd627cf5a7d3379f402eecef +GIT binary patch +literal 99 +zcmZQzV30^FsVpcgQBe5*|GxqZFfcH9ho+Py0%-+5XO9$^I1&w2j6xv{fGPwE004~a +B77qXb + +literal 0 +HcmV?d00001 + +diff --git a/test/data/issue_2377_poc.mp4 b/test/data/issue_2377_poc.mp4 +new file mode 100644 +index 0000000000000000000000000000000000000000..747351387d1d1beb070c3a2a2e9beba874e657b9 +GIT binary patch +literal 225 +rcmZQzV30^FsVpcgQBe5*UjYsn7#L25rj#TC={ - 0.27.5-4 +- Fix CVE-2022-3718 + * Thu Nov 10 2022 jiangpeng - 0.27.5-3 - Fix CVE-2022-3755 CVE-2022-3756