shithub: aacdec

Download patch

ref: 6aeeaa1af0caf986daf22852a97f7c13c5edd879
parent: 805be6bd1e0670916a41d0cd33623608b44f78a2
author: Hugo Lefeuvre <[email protected]>
date: Sun May 5 07:53:01 EDT 2019

sbr_fbt: sbr->M should not exceed MAX_M

sbr->M is set by derived_frequency_table() from user-passed input
without checking for > MAX_M.

This leads to out-of-bounds accesses later, crashes and potential
security relevant issues. It should be considered a fatal error for
the SBR block.

return error code if sbr->M > MAX_M.

also, in some cases sbr_extension_data() ignores the return value of
calc_sbr_tables, probably assuming that sbr is always valid. It should
almost certainly not do that.

fixes #19 (CVE-2018-20196).

--- a/libfaad/sbr_fbt.c
+++ b/libfaad/sbr_fbt.c
@@ -526,6 +526,8 @@
     }
 
     sbr->M = sbr->f_table_res[HI_RES][sbr->N_high] - sbr->f_table_res[HI_RES][0];
+    if (sbr->M > MAX_M)
+        return 1;
     sbr->kx = sbr->f_table_res[HI_RES][0];
     if (sbr->kx > 32)
         return 1;
--- a/libfaad/sbr_syntax.c
+++ b/libfaad/sbr_syntax.c
@@ -196,7 +196,7 @@
             /* if an error occured with the new header values revert to the old ones */
             if (rt > 0)
             {
-                calc_sbr_tables(sbr, saved_start_freq, saved_stop_freq,
+                result += calc_sbr_tables(sbr, saved_start_freq, saved_stop_freq,
                     saved_samplerate_mode, saved_freq_scale,
                     saved_alter_scale, saved_xover_band);
             }
@@ -215,7 +215,7 @@
             if ((result > 0) &&
                 (sbr->Reset || (sbr->bs_header_flag && sbr->just_seeked)))
             {
-                calc_sbr_tables(sbr, saved_start_freq, saved_stop_freq,
+                result += calc_sbr_tables(sbr, saved_start_freq, saved_stop_freq,
                     saved_samplerate_mode, saved_freq_scale,
                     saved_alter_scale, saved_xover_band);          
             }