shithub: aacdec

Download patch

ref: 372b2e44049f355c52c13d75112db9f14d0ae4f7
parent: 00adf5c33e051fcb97b91d4a530efe59fe0eb14a
author: LoRd_MuldeR <[email protected]>
date: Sat Dec 16 14:47:46 EST 2017

Fixed possible buffer overflow. Buffer 'percents' was statically allocated with fixed size, but a string of *unbounded* size (because it contains a user-supplied the file name) was written into that buffer via sprintf().

--- a/frontend/main.c
+++ b/frontend/main.c
@@ -70,6 +70,7 @@
 #define MAX_CHANNELS 6 /* make this higher to support files with
                           more channels */
 
+#define MAX_PERCENTS 384
 
 static int quiet = 0;
 
@@ -469,7 +470,7 @@
     NeAACDecFrameInfo frameInfo;
     NeAACDecConfigurationPtr config;
 
-    char percents[200];
+    char percents[MAX_PERCENTS];
     int percent, old_percent = -1;
     int bread, fileread;
     int header_type = 0;
@@ -734,7 +735,7 @@
         if (percent > old_percent)
         {
             old_percent = percent;
-            sprintf(percents, "%d%% decoding %s.", percent, aacfile);
+            snprintf(percents, MAX_PERCENTS, "%d%% decoding %s.", percent, aacfile);
             faad_fprintf(stderr, "%s\r", percents);
 #ifdef _WIN32
             SetConsoleTitle(percents);
@@ -802,7 +803,7 @@
     NeAACDecFrameInfo frameInfo;
     mp4AudioSpecificConfig mp4ASC;
 
-    char percents[200];
+    char percents[MAX_PERCENTS];
     int percent, old_percent = -1;
 
     int first_time = 1;
@@ -979,7 +980,7 @@
         if (percent > old_percent)
         {
             old_percent = percent;
-            sprintf(percents, "%d%% decoding %s.", percent, mp4file);
+            snprintf(percents, MAX_PERCENTS, "%d%% decoding %s.", percent, mp4file);
             faad_fprintf(stderr, "%s\r", percents);
 #ifdef _WIN32
             SetConsoleTitle(percents);