ref: 942c3e0aee748ea6fe97cb2c1aa5893225316174
parent: a8dc3f8ce67f4069cfa4d5cf0fcc2c6e8ef2c2aa
author: Fabian Greffrath <[email protected]>
date: Mon Jun 10 09:58:40 EDT 2019
Fix a couple buffer overflows https://hackerone.com/reports/502816 https://hackerone.com/reports/507858 https://github.com/videolan/vlc/blob/master/contrib/src/faad2/faad2-fix-overflows.patch
--- a/libfaad/bits.c
+++ b/libfaad/bits.c
@@ -167,7 +167,10 @@
int words = bits >> 5;
int remainder = bits & 0x1F;
- ld->bytes_left = ld->buffer_size - words*4;
+ if (ld->buffer_size < words * 4)
+ ld->bytes_left = 0;
+ else
+ ld->bytes_left = ld->buffer_size - words*4;
if (ld->bytes_left >= 4)
{
--- a/libfaad/syntax.c
+++ b/libfaad/syntax.c
@@ -2304,6 +2304,8 @@
while ((drc->additional_excluded_chns[n-1] = faad_get1bit(ld
DEBUGVAR(1,104,"excluded_channels(): additional_excluded_chns"))) == 1)
{
+ if (i >= MAX_CHANNELS - num_excl_chan - 7)
+ return n;
for (i = num_excl_chan; i < num_excl_chan+7; i++)
{
drc->exclude_mask[i] = faad_get1bit(ld