Incorporating security fixes for Camtasia 9 #30
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
The calculation `hdrSize - dataSize` can underflow the 64-bit unsigned int dataSize type, which can lead to incorrect results. We throw an exception to stop the code from going any further. Addresses https://nvd.nist.gov/vuln/detail/CVE-2018-14325
and calculating the number of bytes needed to hold the list overflows Addresses https://nvd.nist.gov/vuln/detail/CVE-2018-14326 and https://nvd.nist.gov/vuln/detail/CVE-2018-14446
If the atom type has an embedded nul character "\x00", the loop can terminate early and return true (match) when it should return false (no match). This function should only return true if we have reached the loop termination conditions on s2. For example: // These test cases passed before and after this change AssertIsTrue( MP4NameFirstMatches( "sdtp", "sdtp" ) ); // Exact match AssertIsTrue( MP4NameFirstMatches( "trak", "trak[1]" ) ); // Matches up to [ AssertIsTrue( MP4NameFirstMatches( "sdtp", "sdtp." ) ); // Matches up to . AssertIsFalse( MP4NameFirstMatches( "\x00dtp", "sdtp." ) ); // Nul character at s[0] // These test cases failed before this change, and pass after this change AssertIsFalse( MP4NameFirstMatches( "s\x00tp", "sdtp." ) ); // Nul character at s[1] AssertIsFalse( MP4NameFirstMatches( "sd\x00p", "sdtp." ) ); // Nul character at s[2] AssertIsFalse( MP4NameFirstMatches( "sdt\x00", "sdtp." ) ); // Nul character at s[3] Addresses https://nvd.nist.gov/vuln/detail/CVE-2018-14403
If an exception occurs (because of a crafted MP4) before the value is reassigned, then a double free can occur. By setting the pointer to NULL after the first free, we prevent the double free in this case. Addresses: https://nvd.nist.gov/vuln/detail/CVE-2018-14054
I copied what DRO did in his commit for the top of the branch (1695b60), except this one is branched off the last release for Camtasia 9.
alexwnovak
changed the title
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
I cherry-picked DRO's commits from his PR that made the security fixes: #27
The difference here is that he went off master, and I'm preparing a version for a Camtasia 9 release. Camtasia 9 released with mp4v2 v3.0.3, so I branched off that and created this PR, which will be for v3.0.4.