Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

3.0.3 #41

Open
wants to merge 8 commits into
base: main
Choose a base branch
from
Open

3.0.3 #41

wants to merge 8 commits into from

Conversation

preetha-mohan
Copy link

merge errors

daveorourke and others added 8 commits April 8, 2019 09:24
@daveorourke @alexwnovak
Throw exception when invalid atom size would cause integer underflow
8a1c66e 
The calculation `hdrSize - dataSize` can underflow the 64-bit unsigned int dataSize type, which can lead to incorrect results.  We throw an exception to stop the code from going any further.

Addresses https://nvd.nist.gov/vuln/detail/CVE-2018-14325
@TomSirgedas @alexwnovak
fix vulnerability where an atom list size is enormous
596c5a5 
and calculating the number of bytes needed to hold the list overflows

Addresses https://nvd.nist.gov/vuln/detail/CVE-2018-14326 and https://nvd.nist.gov/vuln/detail/CVE-2018-14446
@daveorourke @alexwnovak
Fix intellisense error due to missing space in ASSERT macro
e524761
@daveorourke @alexwnovak
Don't allow an ilst atom to have an ilst child atom
c9ffd33 
Addresses https://nvd.nist.gov/vuln/detail/CVE-2018-14379
@daveorourke @alexwnovak
Check MP4NameFirstMatches loop termination condition more closely
6802fa4 
If the atom type has an embedded nul character "\x00", the loop can terminate early and return true (match) when it should return false (no match).  This function should only return true if we have reached the loop termination conditions on s2.

For example:
   // These test cases passed before and after this change
   AssertIsTrue( MP4NameFirstMatches( "sdtp", "sdtp" ) );       // Exact match
   AssertIsTrue( MP4NameFirstMatches( "trak", "trak[1]" ) );    // Matches up to [
   AssertIsTrue( MP4NameFirstMatches( "sdtp", "sdtp." ) );      // Matches up to .
   AssertIsFalse( MP4NameFirstMatches( "\x00dtp", "sdtp." ) );  // Nul character at s[0]

   // These test cases failed before this change, and pass after this change
   AssertIsFalse( MP4NameFirstMatches( "s\x00tp", "sdtp." ) );  // Nul character at s[1]
   AssertIsFalse( MP4NameFirstMatches( "sd\x00p", "sdtp." ) );  // Nul character at s[2]
   AssertIsFalse( MP4NameFirstMatches( "sdt\x00", "sdtp." ) );  // Nul character at s[3]

Addresses https://nvd.nist.gov/vuln/detail/CVE-2018-14403
@daveorourke @alexwnovak
Null out pointer after free to prevent double free
9bed008 
If an exception occurs (because of a crafted MP4) before the value is reassigned, then a double free can occur.  By setting the pointer to NULL after the first free, we prevent the double free in this case.

Addresses: https://nvd.nist.gov/vuln/detail/CVE-2018-14054
@alexwnovak
Bump version to 3.0.4
e945882 
I copied what DRO did in his commit for the top of the branch (1695b60), except this one is branched off the last release for Camtasia 9.
@alexwnovak
Merge pull request TechSmith#30 from TechSmith/3.0.4
6fe75cd 
Incorporating security fixes for Camtasia 9
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@preetha-mohan @daveorourke @TomSirgedas @alexwnovak