Skip to content

Security fixes #27

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
daveorourke merged 7 commits into from
Mar 21, 2019
Merged

Security fixes #27

daveorourke merged 7 commits into from
Mar 21, 2019

Conversation

@daveorourke
Copy link
Contributor

@daveorourke daveorourke commented Mar 20, 2019

daveorourke and others added 7 commits March 19, 2019 13:17
@daveorourke
Throw exception when invalid atom size would cause integer underflow
e475013 
The calculation `hdrSize - dataSize` can underflow the 64-bit unsigned int dataSize type, which can lead to incorrect results.  We throw an exception to stop the code from going any further.

Addresses https://nvd.nist.gov/vuln/detail/CVE-2018-14325
@TomSirgedas @daveorourke
fix vulnerability where an atom list size is enormous
70d823c 
and calculating the number of bytes needed to hold the list overflows

Addresses https://nvd.nist.gov/vuln/detail/CVE-2018-14326 and https://nvd.nist.gov/vuln/detail/CVE-2018-14446
@daveorourke
Fix intellisense error due to missing space in ASSERT macro
241f4b2
@daveorourke
Don't allow an ilst atom to have an ilst child atom
73f38b4 
Addresses https://nvd.nist.gov/vuln/detail/CVE-2018-14379
@daveorourke
Check MP4NameFirstMatches loop termination condition more closely
51cb6b3 
If the atom type has an embedded nul character "\x00", the loop can terminate early and return true (match) when it should return false (no match).  This function should only return true if we have reached the loop termination conditions on s2.

For example:
   // These test cases passed before and after this change
   AssertIsTrue( MP4NameFirstMatches( "sdtp", "sdtp" ) );       // Exact match
   AssertIsTrue( MP4NameFirstMatches( "trak", "trak[1]" ) );    // Matches up to [
   AssertIsTrue( MP4NameFirstMatches( "sdtp", "sdtp." ) );      // Matches up to .
   AssertIsFalse( MP4NameFirstMatches( "\x00dtp", "sdtp." ) );  // Nul character at s[0]

   // These test cases failed before this change, and pass after this change
   AssertIsFalse( MP4NameFirstMatches( "s\x00tp", "sdtp." ) );  // Nul character at s[1]
   AssertIsFalse( MP4NameFirstMatches( "sd\x00p", "sdtp." ) );  // Nul character at s[2]
   AssertIsFalse( MP4NameFirstMatches( "sdt\x00", "sdtp." ) );  // Nul character at s[3]

Addresses https://nvd.nist.gov/vuln/detail/CVE-2018-14403
@daveorourke
Null out pointer after free to prevent double free
f09ccee 
If an exception occurs (because of a crafted MP4) before the value is reassigned, then a double free can occur.  By setting the pointer to NULL after the first free, we prevent the double free in this case.

Addresses: https://nvd.nist.gov/vuln/detail/CVE-2018-14054
@daveorourke
Bump version to 4.1.0.0
1695b60
@JacobAnderson
Copy link

JacobAnderson commented Mar 20, 2019

👍 from me.

@daveorourke daveorourke merged commit 67cbf8d into master Mar 21, 2019
@daveorourke daveorourke deleted the securityFixes branch March 21, 2019 12:52
@daveorourke daveorourke mentioned this pull request Mar 21, 2019
Closed
stephenkwagner added a commit that referenced this pull request Mar 21, 2019
@stephenkwagner
Updating the mac prebuilt to pick up security fixes.
76691d8 
This PR updates the mac prebuilt to pull in the security fixes applied in #27.
@stephenkwagner stephenkwagner mentioned this pull request Mar 21, 2019
Merged
@alexwnovak alexwnovak mentioned this pull request Apr 8, 2019
Merged
@sergiomb2
Copy link

sergiomb2 commented Nov 2, 2019
edited
Loading

Hello , I try maintain libmp4v2 on github [1] for Fedora packaging and in bugzilla we have lots of bugs security reports [2] .
I think we don't have fixes for CVE-2018-17236, CVE-2018-17235 and CVE-2018-7339.
HTH
Thanks.

[1]
https://github.com/sergiomb2/libmp4v2
[2]
https://bugzilla.redhat.com/buglist.cgi?component=libmp4v2

@StilgarISCA
Copy link
Contributor

StilgarISCA commented Feb 22, 2022

Hello , I try maintain libmp4v2 on github [1] for Fedora packaging and in bugzilla we have lots of bugs security reports [2] . I think we don't have fixes for CVE-2018-17236, CVE-2018-17235 and CVE-2018-7339. HTH Thanks.

[1] https://github.com/sergiomb2/libmp4v2 [2] https://bugzilla.redhat.com/buglist.cgi?component=libmp4v2

@sergiomb2 we have been made aware of a new, maintained fork of mp4v2 which you will likely find useful for your Fedora packages: https://github.com/enzo1982/mp4v2 and https://mp4v2.org/

@sergiomb2
Copy link

sergiomb2 commented Feb 22, 2022

yep enzo1982/mp4v2#1 (comment)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@daveorourke @JacobAnderson @sergiomb2 @StilgarISCA @TomSirgedas