shithub: aacdec

Download patch

ref: 3b80a57483a6bc822d3ce3cc640fa81737a87c54
parent: 19b81b0cb9c82430a01c4806543a580d3b656dd0
author: Hugo Lefeuvre <[email protected]>
date: Mon Aug 19 13:24:55 EDT 2019

specrec: better handle unexpected PS

Parametric Stereo (PS) can arrive at any moment in input files. PS
changes the number of output channels and therefore requires more
allocated memory in various structures from hDecoder.

The current faad2 code attempts to perform allocation surgery in
hDecoder to recover from this. This works well when there is only one
frame channel, else it creates large number of memory corruption
issues.

If there is more than one input channel, return cleanly with error
code. It would be nice to handle this, but this is likely to be a lot
of work and is beyond the scope of a security fix.

This commit addresses CVE-2018-20360 and CVE-2018-20199 (fixes #32,
fixes #24).

--- a/libfaad/specrec.c
+++ b/libfaad/specrec.c
@@ -915,18 +915,18 @@
         /* element_output_channels not set yet */
         hDecoder->element_output_channels[hDecoder->fr_ch_ele] = output_channels;
     } else if (hDecoder->element_output_channels[hDecoder->fr_ch_ele] != output_channels) {
-        /* element inconsistency */
-
-        /* this only happens if PS is actually found but not in the first frame
+        /* element inconsistency
+         * this only happens if PS is actually found but not in the first frame
          * this means that there is only 1 bitstream element!
          */
 
-        /* reset the allocation */
-        hDecoder->element_alloced[hDecoder->fr_ch_ele] = 0;
-
-        hDecoder->element_output_channels[hDecoder->fr_ch_ele] = output_channels;
-
-        //return 21;
+        if (hDecoder->fr_channels == 1) {
+            /* reset the allocation */
+            hDecoder->element_alloced[hDecoder->fr_ch_ele] = 0;
+            hDecoder->element_output_channels[hDecoder->fr_ch_ele] = output_channels;
+        } else {
+            return 21;
+        }
     }
 
     if (hDecoder->element_alloced[hDecoder->fr_ch_ele] == 0)