shithub: aacdec

Download patch

ref: 6b4a7cde30f2e2cb03e78ef476cc73179cfffda3
parent: 466b01d504d7e45f1e9169ac90b3e34ab94aed14
author: Hugo Lefeuvre <hle@debian.org>
date: Thu Apr 11 05:34:07 EDT 2019

sbr_hfadj: sanitize frequency band borders

user passed f_table_lim contains frequency band borders. Frequency
bands are groups of consecutive QMF channels. This means that their
bounds, as provided by f_table_lim, should never exceed MAX_M (maximum
number of QMF channels). c.f. ISO/IEC 14496-3:2001

FAAD2 does not verify this, leading to security issues when
processing files defining f_table_lim with values > MAX_M.

This patch sanitizes the values of f_table_lim so that they can be safely
used as index for Q_M_lim and G_lim arrays.

Fixes #21 (CVE-2018-20194).

--- a/libfaad/sbr_hfadj.c
+++ b/libfaad/sbr_hfadj.c
@@ -485,7 +485,13 @@
             ml1 = sbr->f_table_lim[sbr->bs_limiter_bands][k];
             ml2 = sbr->f_table_lim[sbr->bs_limiter_bands][k+1];
 
+            if (ml1 > MAX_M)
+                ml1 = MAX_M;
 
+            if (ml2 > MAX_M)
+                ml2 = MAX_M;
+
+
             /* calculate the accumulated E_orig and E_curr over the limiter band */
             for (m = ml1; m < ml2; m++)
             {
@@ -949,7 +955,13 @@
             ml1 = sbr->f_table_lim[sbr->bs_limiter_bands][k];
             ml2 = sbr->f_table_lim[sbr->bs_limiter_bands][k+1];
 
+            if (ml1 > MAX_M)
+                ml1 = MAX_M;
 
+            if (ml2 > MAX_M)
+                ml2 = MAX_M;
+
+
             /* calculate the accumulated E_orig and E_curr over the limiter band */
             for (m = ml1; m < ml2; m++)
             {
@@ -1192,6 +1204,12 @@
 
             ml1 = sbr->f_table_lim[sbr->bs_limiter_bands][k];
             ml2 = sbr->f_table_lim[sbr->bs_limiter_bands][k+1];
+
+            if (ml1 > MAX_M)
+                ml1 = MAX_M;
+
+            if (ml2 > MAX_M)
+                ml2 = MAX_M;
 
 
             /* calculate the accumulated E_orig and E_curr over the limiter band */