From: Burkhard Plaum Origin: https://sourceforge.net/p/libquicktime/mailman/libquicktime-devel/?viewmonth=201706 Hi, I committed some (mostly trivial) updates to CVS. The following CVE's are fixed and/or no longer reproducible: CVE-2017-9122 CVE-2017-9123 CVE-2017-9124 CVE-2017-9125 CVE-2017-9126 CVE-2017-9127 CVE-2017-9128 I was a bit surprised that one simple sanity check fixes a whole bunch of files. So it could be, that the problems are still there, but better hidden since the critical code isn't executed anymore with the sample files I got. If someone encounters more crashes, feel free to report them. Burkhard --- a/include/lqt_funcprotos.h +++ b/include/lqt_funcprotos.h @@ -1345,9 +1345,9 @@ int quicktime_write_int32_le(quicktime_t int quicktime_write_char32(quicktime_t *file, char *string); float quicktime_read_fixed16(quicktime_t *file); int quicktime_write_fixed16(quicktime_t *file, float number); -unsigned long quicktime_read_uint32(quicktime_t *file); -long quicktime_read_int32(quicktime_t *file); -long quicktime_read_int32_le(quicktime_t *file); +uint32_t quicktime_read_uint32(quicktime_t *file); +int32_t quicktime_read_int32(quicktime_t *file); +int32_t quicktime_read_int32_le(quicktime_t *file); int64_t quicktime_read_int64(quicktime_t *file); int64_t quicktime_read_int64_le(quicktime_t *file); long quicktime_read_int24(quicktime_t *file); --- a/src/atom.c +++ b/src/atom.c @@ -131,6 +131,9 @@ int quicktime_atom_read_header(quicktime atom->size = read_size64(header); atom->end = atom->start + atom->size; } +/* Avoid broken files */ + if(atom->end > file->total_length) + result = 1; } --- a/src/lqt_quicktime.c +++ b/src/lqt_quicktime.c @@ -1788,8 +1788,8 @@ int quicktime_read_info(quicktime_t *fil quicktime_set_position(file, start_position); free(temp); - quicktime_read_moov(file, &file->moov, &leaf_atom); - got_header = 1; + if(!quicktime_read_moov(file, &file->moov, &leaf_atom)) + got_header = 1; } else quicktime_atom_skip(file, &leaf_atom); --- a/src/moov.c +++ b/src/moov.c @@ -218,7 +218,8 @@ int quicktime_read_moov(quicktime_t *fil if(quicktime_atom_is(&leaf_atom, "trak")) { quicktime_trak_t *trak = quicktime_add_trak(file); - quicktime_read_trak(file, trak, &leaf_atom); + if(quicktime_read_trak(file, trak, &leaf_atom)) + return 1; } else if(quicktime_atom_is(&leaf_atom, "udta")) --- a/src/trak.c +++ b/src/trak.c @@ -269,6 +269,14 @@ int quicktime_read_trak(quicktime_t *fil else quicktime_atom_skip(file, &leaf_atom); } while(quicktime_position(file) < trak_atom->end); + /* Do some sanity checks to prevent later crashes */ + if(trak->mdia.minf.is_video || trak->mdia.minf.is_video) + { + if(!trak->mdia.minf.stbl.stsc.table || + !trak->mdia.minf.stbl.stco.table) + return 1; + } + #if 1 if(trak->mdia.minf.is_video && quicktime_match_32(trak->mdia.minf.stbl.stsd.table[0].format, "drac")) --- a/src/util.c +++ b/src/util.c @@ -647,10 +647,10 @@ int quicktime_write_fixed16(quicktime_t return quicktime_write_data(file, data, 2); } -unsigned long quicktime_read_uint32(quicktime_t *file) +uint32_t quicktime_read_uint32(quicktime_t *file) { - unsigned long result; - unsigned long a, b, c, d; + uint32_t result; + uint32_t a, b, c, d; uint8_t data[4]; quicktime_read_data(file, data, 4); @@ -663,10 +663,10 @@ unsigned long quicktime_read_uint32(quic return result; } -long quicktime_read_int32(quicktime_t *file) +int32_t quicktime_read_int32(quicktime_t *file) { - unsigned long result; - unsigned long a, b, c, d; + uint32_t result; + uint32_t a, b, c, d; uint8_t data[4]; quicktime_read_data(file, data, 4); @@ -676,13 +676,13 @@ long quicktime_read_int32(quicktime_t *f d = data[3]; result = (a << 24) | (b << 16) | (c << 8) | d; - return (long)result; + return (int32_t)result; } -long quicktime_read_int32_le(quicktime_t *file) +int32_t quicktime_read_int32_le(quicktime_t *file) { - unsigned long result; - unsigned long a, b, c, d; + uint32_t result; + uint32_t a, b, c, d; uint8_t data[4]; quicktime_read_data(file, data, 4); @@ -692,7 +692,7 @@ long quicktime_read_int32_le(quicktime_t d = data[3]; result = (d << 24) | (c << 16) | (b << 8) | a; - return (long)result; + return (int32_t)result; } int64_t quicktime_read_int64(quicktime_t *file)