File CVE-2019-11372_CVE-2019-11373.patch of Package libmediainfo

Overview Repositories Revisions Requests Users Attributes Meta

File CVE-2019-11372_CVE-2019-11373.patch of Package libmediainfo

From 716747fdde2c8dd6d0fca1223362ae5ce533ae38 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C3=A9r=C3=B4me=20Martinez?= <jerome@mediaarea.net>
Date: Thu, 11 Apr 2019 12:39:13 +0200
Subject: [PATCH 1/2] x B1101, AVI: fix crash with some invalid streams

---
 Source/MediaInfo/Multiple/File_Riff.cpp          | 2 +-
 Source/MediaInfo/Multiple/File_Riff_Elements.cpp | 3 ++-
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/Source/MediaInfo/Multiple/File_Riff.cpp b/Source/MediaInfo/Multiple/File_Riff.cpp
index e54123520..626c2d3b5 100644
--- a/Source/MediaInfo/Multiple/File_Riff.cpp
+++ b/Source/MediaInfo/Multiple/File_Riff.cpp
@@ -938,7 +938,7 @@ void File_Riff::Header_Parse()
     }
 
     //Alignment
-    if (Size_Complete%2 && !IsNotWordAligned)
+    if (Size_Complete%2 && !IsNotWordAligned && File_Offset+Buffer_Offset+Element_Offset+Size_Complete<File_Size)
     {
         Size_Complete++; //Always 2-byte aligned
         Alignement_ExtraByte=1;
diff --git a/Source/MediaInfo/Multiple/File_Riff_Elements.cpp b/Source/MediaInfo/Multiple/File_Riff_Elements.cpp
index 2622dfc16..5cea75be1 100644
--- a/Source/MediaInfo/Multiple/File_Riff_Elements.cpp
+++ b/Source/MediaInfo/Multiple/File_Riff_Elements.cpp
@@ -450,7 +450,8 @@ namespace Elements
 void File_Riff::Data_Parse()
 {
     //Alignement specific
-    Element_Size-=Alignement_ExtraByte;
+    if (Alignement_ExtraByte<=Element_Size)
+        Element_Size-=Alignement_ExtraByte;
 
     DATA_BEGIN
     LIST(AIFC)

From 65a7c4b24025b8fba0ead719c21ac562206d4ebf Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C3=A9r=C3=B4me=20Martinez?= <jerome@mediaarea.net>
Date: Thu, 11 Apr 2019 12:39:29 +0200
Subject: [PATCH 2/2] x B1101, SMPTE ST 337: fix crash with some invalid
 streams

---
 Source/MediaInfo/Audio/File_SmpteSt0337.cpp | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/Source/MediaInfo/Audio/File_SmpteSt0337.cpp b/Source/MediaInfo/Audio/File_SmpteSt0337.cpp
index 7fa87b4cc..03775dcb7 100644
--- a/Source/MediaInfo/Audio/File_SmpteSt0337.cpp
+++ b/Source/MediaInfo/Audio/File_SmpteSt0337.cpp
@@ -1158,6 +1158,7 @@ void File_SmpteSt0337::Data_Parse()
 
     // Parsing
     int32u  length_code;
+    int8u data_type_New;
     Element_Begin1("Header");
         BS_Begin();
         Skip_S3(Stream_Bits,                                    "Pa");
@@ -1167,7 +1168,7 @@ void File_SmpteSt0337::Data_Parse()
             Skip_S1( 5,                                         "data_type_dependent");
             Skip_SB(                                            "error_flag");
             Info_S1( 2, data_mode,                              "data_mode"); Param_Info2(16+4*data_mode, " bits");
-            Get_S1 ( 5, data_type,                              "data_type"); Param_Info1(Smpte_St0337_data_type[data_type]);
+            Get_S1 ( 5, data_type_New,                          "data_type"); Param_Info1(Smpte_St0337_data_type[data_type]);
             if (Stream_Bits>16)
                 Skip_S1( 4,                                     "reserved");
             if (Stream_Bits>20)
@@ -1177,6 +1178,11 @@ void File_SmpteSt0337::Data_Parse()
         BS_End();
     Element_End0();
 
+    if (data_type_New!=data_type)
+    {
+        delete Parser; Parser=NULL;
+        data_type=data_type_New;
+    }
     if (Parser==NULL)
     {
         switch(data_type)

Places

File CVE-2019-11372_CVE-2019-11373.patch of Package libmediainfo

Places