ref: 6aeeaa1af0caf986daf22852a97f7c13c5edd879
parent: 805be6bd1e0670916a41d0cd33623608b44f78a2
author: Hugo Lefeuvre <[email protected]>
date: Sun May 5 07:53:01 EDT 2019
sbr_fbt: sbr->M should not exceed MAX_M sbr->M is set by derived_frequency_table() from user-passed input without checking for > MAX_M. This leads to out-of-bounds accesses later, crashes and potential security relevant issues. It should be considered a fatal error for the SBR block. return error code if sbr->M > MAX_M. also, in some cases sbr_extension_data() ignores the return value of calc_sbr_tables, probably assuming that sbr is always valid. It should almost certainly not do that. fixes #19 (CVE-2018-20196).
--- a/libfaad/sbr_fbt.c
+++ b/libfaad/sbr_fbt.c
@@ -526,6 +526,8 @@
}
sbr->M = sbr->f_table_res[HI_RES][sbr->N_high] - sbr->f_table_res[HI_RES][0];
+ if (sbr->M > MAX_M)
+ return 1;
sbr->kx = sbr->f_table_res[HI_RES][0];
if (sbr->kx > 32)
return 1;
--- a/libfaad/sbr_syntax.c
+++ b/libfaad/sbr_syntax.c
@@ -196,7 +196,7 @@
/* if an error occured with the new header values revert to the old ones */
if (rt > 0)
{
- calc_sbr_tables(sbr, saved_start_freq, saved_stop_freq,
+ result += calc_sbr_tables(sbr, saved_start_freq, saved_stop_freq,
saved_samplerate_mode, saved_freq_scale,
saved_alter_scale, saved_xover_band);
}
@@ -215,7 +215,7 @@
if ((result > 0) &&
(sbr->Reset || (sbr->bs_header_flag && sbr->just_seeked)))
{
- calc_sbr_tables(sbr, saved_start_freq, saved_stop_freq,
+ result += calc_sbr_tables(sbr, saved_start_freq, saved_stop_freq,
saved_samplerate_mode, saved_freq_scale,
saved_alter_scale, saved_xover_band);
}