| From 466b01d504d7e45f1e9169ac90b3e34ab94aed14 Mon Sep 17 00:00:00 2001 |
| From: Hugo Lefeuvre <hle@debian.org> |
| Date: Mon, 25 Feb 2019 10:49:03 +0100 |
| Subject: [PATCH] syntax.c: check for syntax element inconsistencies |
| |
| Implicit channel mapping reconfiguration is explicitely forbidden by |
| ISO/IEC 13818-7:2006 (8.5.3.3). Decoders should be able to detect such |
| files and reject them. FAAD2 does not perform any kind of checks |
| regarding this. |
| |
| This leads to security vulnerabilities when processing crafted AAC |
| files performing such reconfigurations. |
| |
| Add checks to decode_sce_lfe and decode_cpe to make sure such |
| inconsistencies are detected as early as possible. |
| |
| These checks first read hDecoder->frame: if this is not the first |
| frame then we make sure that the syntax element at the same position |
| in the previous frame also had element_id id_syn_ele. If not, return |
| 21 as this is a fatal file structure issue. |
| |
| This patch addresses CVE-2018-20362 (fixes #26) and possibly other |
| related issues. |
| |
| Signed-off-by: Baruch Siach <baruch@tkos.co.il> |
| --- |
| Upstream status: commit 466b01d504d7 |
| |
| libfaad/syntax.c | 12 ++++++++++++ |
| 1 file changed, 12 insertions(+) |
| |
| diff --git a/libfaad/syntax.c b/libfaad/syntax.c |
| index f8e808c269c0..e7fb11381e46 100644 |
| --- a/libfaad/syntax.c |
| +++ b/libfaad/syntax.c |
| @@ -344,6 +344,12 @@ static void decode_sce_lfe(NeAACDecStruct *hDecoder, |
| can become 2 when some form of Parametric Stereo coding is used |
| */ |
| |
| + if (hDecoder->frame && hDecoder->element_id[hDecoder->fr_ch_ele] != id_syn_ele) { |
| + /* element inconsistency */ |
| + hInfo->error = 21; |
| + return; |
| + } |
| + |
| /* save the syntax element id */ |
| hDecoder->element_id[hDecoder->fr_ch_ele] = id_syn_ele; |
| |
| @@ -395,6 +401,12 @@ static void decode_cpe(NeAACDecStruct *hDecoder, NeAACDecFrameInfo *hInfo, bitfi |
| return; |
| } |
| |
| + if (hDecoder->frame && hDecoder->element_id[hDecoder->fr_ch_ele] != id_syn_ele) { |
| + /* element inconsistency */ |
| + hInfo->error = 21; |
| + return; |
| + } |
| + |
| /* save the syntax element id */ |
| hDecoder->element_id[hDecoder->fr_ch_ele] = id_syn_ele; |
| |
| -- |
| 2.20.1 |
| |