ref: 6b4a7cde30f2e2cb03e78ef476cc73179cfffda3
parent: 466b01d504d7e45f1e9169ac90b3e34ab94aed14
author: Hugo Lefeuvre <hle@debian.org>
date: Thu Apr 11 05:34:07 EDT 2019
sbr_hfadj: sanitize frequency band borders user passed f_table_lim contains frequency band borders. Frequency bands are groups of consecutive QMF channels. This means that their bounds, as provided by f_table_lim, should never exceed MAX_M (maximum number of QMF channels). c.f. ISO/IEC 14496-3:2001 FAAD2 does not verify this, leading to security issues when processing files defining f_table_lim with values > MAX_M. This patch sanitizes the values of f_table_lim so that they can be safely used as index for Q_M_lim and G_lim arrays. Fixes #21 (CVE-2018-20194).
--- a/libfaad/sbr_hfadj.c
+++ b/libfaad/sbr_hfadj.c
@@ -485,7 +485,13 @@
ml1 = sbr->f_table_lim[sbr->bs_limiter_bands][k];
ml2 = sbr->f_table_lim[sbr->bs_limiter_bands][k+1];
+ if (ml1 > MAX_M)
+ ml1 = MAX_M;
+ if (ml2 > MAX_M)
+ ml2 = MAX_M;
+
+
/* calculate the accumulated E_orig and E_curr over the limiter band */
for (m = ml1; m < ml2; m++)
{
@@ -949,7 +955,13 @@
ml1 = sbr->f_table_lim[sbr->bs_limiter_bands][k];
ml2 = sbr->f_table_lim[sbr->bs_limiter_bands][k+1];
+ if (ml1 > MAX_M)
+ ml1 = MAX_M;
+ if (ml2 > MAX_M)
+ ml2 = MAX_M;
+
+
/* calculate the accumulated E_orig and E_curr over the limiter band */
for (m = ml1; m < ml2; m++)
{
@@ -1192,6 +1204,12 @@
ml1 = sbr->f_table_lim[sbr->bs_limiter_bands][k];
ml2 = sbr->f_table_lim[sbr->bs_limiter_bands][k+1];
+
+ if (ml1 > MAX_M)
+ ml1 = MAX_M;
+
+ if (ml2 > MAX_M)
+ ml2 = MAX_M;
/* calculate the accumulated E_orig and E_curr over the limiter band */