shithub: aacenc

Download patch

ref: bdb83a630e3c0c5b91481336e74951806efea534
parent: 30f39e1c3a362a762fe89cebfa171b6cf5119431
author: Fabian Greffrath <fabian@greffrath.com>
date: Wed Oct 2 07:20:39 EDT 2019

check index ranges before dereferencing book arrays

Fixes #20, fixes #21, fixes #22, fixes #23, fixes #24, fixes #25
CVE-2018-19886

--- a/libfaac/huff2.c
+++ b/libfaac/huff2.c
@@ -66,6 +66,8 @@
 # define DRMDATA
 #endif
 
+#define arrlen(array) (sizeof(array) / sizeof(*array))
+
 static int huffcode(int *qs /* quantized spectrum */,
                     int len,
                     int bnum,
@@ -111,6 +113,10 @@
         {
             qp = qs+ofs;
             idx = 27 * qp[0] + 9 * qp[1] + 3 * qp[2] + qp[3] + 40;
+            if (idx < 0 || idx >= arrlen(book01))
+            {
+                return -1;
+            }
             blen = book[idx].len;
             if (coder)
             {
@@ -128,6 +134,10 @@
         {
             qp = qs+ofs;
             idx = 27 * abs(qp[0]) + 9 * abs(qp[1]) + 3 * abs(qp[2]) + abs(qp[3]);
+            if (idx < 0 || idx >= arrlen(book03))
+            {
+                return -1;
+            }
             blen = book[idx].len;
             if (!coder)
             {
@@ -163,6 +173,10 @@
         {
             qp = qs+ofs;
             idx = 9 * qp[0] + qp[1] + 40;
+            if (idx < 0 || idx >= arrlen(book05))
+            {
+                return -1;
+            }
             blen = book[idx].len;
             if (coder)
             {
@@ -180,6 +194,10 @@
         {
             qp = qs+ofs;
             idx = 8 * abs(qp[0]) + abs(qp[1]);
+            if (idx < 0 || idx >= arrlen(book07))
+            {
+                return -1;
+            }
             blen = book[idx].len;
             if (!coder)
             {
@@ -213,6 +231,10 @@
         {
             qp = qs+ofs;
             idx = 13 * abs(qp[0]) + abs(qp[1]);
+            if (idx < 0 || idx >= arrlen(book09))
+            {
+                return -1;
+            }
             blen = book[idx].len;
             if (!coder)
             {
@@ -254,6 +276,10 @@
             if (x1 > 16)
                 x1 = 16;
             idx = 17 * x0 + x1;
+            if (idx < 0 || idx >= arrlen(book11))
+            {
+                return -1;
+            }
 
             blen = book[idx].len;
             if (!coder)