shithub: aacdec

Download patch

ref: 942c3e0aee748ea6fe97cb2c1aa5893225316174
parent: a8dc3f8ce67f4069cfa4d5cf0fcc2c6e8ef2c2aa
author: Fabian Greffrath <[email protected]>
date: Mon Jun 10 09:58:40 EDT 2019

Fix a couple buffer overflows

https://hackerone.com/reports/502816
https://hackerone.com/reports/507858

https://github.com/videolan/vlc/blob/master/contrib/src/faad2/faad2-fix-overflows.patch

--- a/libfaad/bits.c
+++ b/libfaad/bits.c
@@ -167,7 +167,10 @@
     int words = bits >> 5;
     int remainder = bits & 0x1F;
 
-    ld->bytes_left = ld->buffer_size - words*4;
+    if (ld->buffer_size < words * 4)
+        ld->bytes_left = 0;
+    else
+        ld->bytes_left = ld->buffer_size - words*4;
 
     if (ld->bytes_left >= 4)
     {
--- a/libfaad/syntax.c
+++ b/libfaad/syntax.c
@@ -2304,6 +2304,8 @@
     while ((drc->additional_excluded_chns[n-1] = faad_get1bit(ld
         DEBUGVAR(1,104,"excluded_channels(): additional_excluded_chns"))) == 1)
     {
+        if (i >= MAX_CHANNELS - num_excl_chan - 7)
+            return n;
         for (i = num_excl_chan; i < num_excl_chan+7; i++)
         {
             drc->exclude_mask[i] = faad_get1bit(ld