CVE-2023-5377: fixed #2606 · gpac/gpac@8e9d6b3

Expand Up @@ -12676,15 +12676,29 @@ GF_Err chnl_box_read(GF_Box *s,GF_BitStream *bs) GF_ChannelLayoutBox *ptr = (GF_ChannelLayoutBox *) s;
ISOM_DECREASE_SIZE(s, 1) ptr->layout.stream_structure = gf_bs_read_u8(bs); if (ptr->version==0) { ptr->layout.stream_structure = gf_bs_read_u8(bs); } else { ptr->layout.stream_structure = gf_bs_read_int(bs, 4); ptr->layout.format_ordering = gf_bs_read_int(bs, 4); ISOM_DECREASE_SIZE(s, 1) ptr->layout.base_channel_count = gf_bs_read_u8(bs); } if (ptr->layout.stream_structure & 1) { ISOM_DECREASE_SIZE(s, 1) ptr->layout.definedLayout = gf_bs_read_u8(bs); if (ptr->layout.definedLayout==0) { u32 remain = (u32) ptr->size; if (ptr->layout.stream_structure & 2) remain–; ptr->layout.channels_count = 0; u32 nb_channels = 0; if (ptr->version) { ISOM_DECREASE_SIZE(s, 1) nb_channels = gf_bs_read_u8(bs); } while (remain) { if (ptr->layout.channels_count==64) return GF_ISOM_INVALID_FILE;
ISOM_DECREASE_SIZE(s, 1) ptr->layout.layouts[ptr->layout.channels_count].position = gf_bs_read_u8(bs); remain–; Expand All @@ -12694,13 +12708,31 @@ GF_Err chnl_box_read(GF_Box *s,GF_BitStream *bs) ptr->layout.layouts[ptr->layout.channels_count].elevation = gf_bs_read_int(bs, 8); remain-=3; } ptr->layout.channels_count++; if (ptr->version) { nb_channels–; if (!nb_channels) break; } } } else { ISOM_DECREASE_SIZE(s, 8) ptr->layout.omittedChannelsMap = gf_bs_read_u64(bs); if (ptr->version==0) { ISOM_DECREASE_SIZE(s, 8) ptr->layout.omittedChannelsMap = gf_bs_read_u64(bs); ptr->layout.omitted_channels_present = 1; ptr->layout.channel_order_definition = 0; } else { ISOM_DECREASE_SIZE(s, 1) gf_bs_read_int(bs, 4); ptr->layout.channel_order_definition = gf_bs_read_int(bs, 3); ptr->layout.omitted_channels_present = gf_bs_read_int(bs, 1); if (ptr->layout.omitted_channels_present) { ISOM_DECREASE_SIZE(s, 8) ptr->layout.omittedChannelsMap = gf_bs_read_u64(bs); } } } } if (ptr->layout.stream_structure & 2) { if ((ptr->version==0) && (ptr->layout.stream_structure & 2)) { ISOM_DECREASE_SIZE(s, 1) ptr->layout.object_count = gf_bs_read_u8(bs); } Expand All @@ -12724,10 +12756,20 @@ GF_Err chnl_box_write(GF_Box *s, GF_BitStream *bs) if (e) return e;
gf_bs_write_u8(bs, ptr->layout.stream_structure); if (ptr->version==0) { gf_bs_write_u8(bs, ptr->layout.stream_structure); } else { gf_bs_write_int(bs, ptr->layout.stream_structure, 4); gf_bs_write_int(bs, ptr->layout.format_ordering, 4); gf_bs_write_u8(bs, ptr->layout.base_channel_count); } if (ptr->layout.stream_structure & 1) { gf_bs_write_u8(bs, ptr->layout.definedLayout); if (ptr->layout.definedLayout==0) { u32 i; if (ptr->version==1) { gf_bs_write_u8(bs, ptr->layout.channels_count); } for (i=0; i<ptr->layout.channels_count; i++) { gf_bs_write_u8(bs, ptr->layout.layouts[i].position); if (ptr->layout.layouts[i].position==126) { Expand All @@ -12736,10 +12778,18 @@ GF_Err chnl_box_write(GF_Box *s, GF_BitStream *bs) } } } else { gf_bs_write_u64(bs, ptr->layout.omittedChannelsMap); if (ptr->version==1) { gf_bs_write_int(bs, 0, 4); gf_bs_write_int(bs, ptr->layout.channel_order_definition, 3); gf_bs_write_int(bs, ptr->layout.omitted_channels_present, 1); if (ptr->layout.omitted_channels_present) gf_bs_write_u64(bs, ptr->layout.omittedChannelsMap); } else { gf_bs_write_u64(bs, ptr->layout.omittedChannelsMap); } } } if (ptr->layout.stream_structure & 2) { if ((ptr->version==0) && (ptr->layout.stream_structure & 2)) { gf_bs_write_u8(bs, ptr->layout.object_count); } return GF_OK; Expand All @@ -12749,20 +12799,28 @@ GF_Err chnl_box_size(GF_Box *s) { GF_ChannelLayoutBox *ptr = (GF_ChannelLayoutBox *) s; s->size += 1; if (ptr->version==1) s->size++; if (ptr->layout.stream_structure & 1) { s->size += 1; if (ptr->layout.definedLayout==0) { u32 i; if (ptr->version==1) s->size++; for (i=0; i<ptr->layout.channels_count; i++) { s->size+=1; if (ptr->layout.layouts[i].position==126) s->size+=3; } } else { s->size += 8; if (ptr->version==1) { s->size += 1; if (ptr->layout.omitted_channels_present) s->size += 8; } else { s->size += 8; } } } if (ptr->layout.stream_structure & 2) { if ((ptr->version==0) && (ptr->layout.stream_structure & 2)) { s->size += 1; } return GF_OK; Expand Down