shithub: aacdec

Download patch

ref: 6823e6610c9af1b0080cb22b9da03efb208d7d57
parent: 3b80a57483a6bc822d3ce3cc640fa81737a87c54
author: Hugo Lefeuvre <[email protected]>
date: Fri Aug 23 04:08:19 EDT 2019

ps_dec: sanitize iid_index before mixing

index range is supposed to be withing -7 and 7 or -15 and 15 depending on
iid_mode (see Table 8.24, ISO/IEC 14496-3:2005).

Indexes outside these boundaries are likely to be errors and should be
sanitized to avoid memory corruption. Replace any index under
-no_iid_steps (-7 or -15 depending on iid_mode) by -no_iid_steps. Replace
any index above no_iid_steps by no_iid_steps. Try to process further.

This commit addresses CVE-2019-6956 (fixes #39).

--- a/libfaad/ps_dec.c
+++ b/libfaad/ps_dec.c
@@ -1508,6 +1508,20 @@
 
                 //printf("%d\n", ps->iid_index[env][bk]);
 
+                /* index range is supposed to be -7...7 or -15...15 depending on iid_mode
+                   (Table 8.24, ISO/IEC 14496-3:2005).
+                   if it is outside these boundaries, this is most likely an error. sanitize
+                   it and try to process further. */
+                if (ps->iid_index[env][bk] < -no_iid_steps) {
+                    fprintf(stderr, "Warning: invalid iid_index: %d < %d\n", ps->iid_index[env][bk],
+                        -no_iid_steps);
+                    ps->iid_index[env][bk] = -no_iid_steps;
+                } else if (ps->iid_index[env][bk] > no_iid_steps) {
+                    fprintf(stderr, "Warning: invalid iid_index: %d > %d\n", ps->iid_index[env][bk],
+                        no_iid_steps);
+                    ps->iid_index[env][bk] = no_iid_steps;
+                }
+
                 /* calculate the scalefactors c_1 and c_2 from the intensity differences */
                 c_1 = sf_iid[no_iid_steps + ps->iid_index[env][bk]];
                 c_2 = sf_iid[no_iid_steps - ps->iid_index[env][bk]];