| From 6b4a7cde30f2e2cb03e78ef476cc73179cfffda3 Mon Sep 17 00:00:00 2001 |
| From: Hugo Lefeuvre <hle@debian.org> |
| Date: Thu, 11 Apr 2019 09:34:07 +0200 |
| Subject: [PATCH] sbr_hfadj: sanitize frequency band borders |
| |
| user passed f_table_lim contains frequency band borders. Frequency |
| bands are groups of consecutive QMF channels. This means that their |
| bounds, as provided by f_table_lim, should never exceed MAX_M (maximum |
| number of QMF channels). c.f. ISO/IEC 14496-3:2001 |
| |
| FAAD2 does not verify this, leading to security issues when |
| processing files defining f_table_lim with values > MAX_M. |
| |
| This patch sanitizes the values of f_table_lim so that they can be safely |
| used as index for Q_M_lim and G_lim arrays. |
| |
| Fixes #21 (CVE-2018-20194). |
| |
| Signed-off-by: Baruch Siach <baruch@tkos.co.il> |
| --- |
| Upstream status: commit 6b4a7cde30f2e |
| |
| libfaad/sbr_hfadj.c | 18 ++++++++++++++++++ |
| 1 file changed, 18 insertions(+) |
| |
| diff --git a/libfaad/sbr_hfadj.c b/libfaad/sbr_hfadj.c |
| index 3f310b8190d7..dda1ce8e249b 100644 |
| --- a/libfaad/sbr_hfadj.c |
| +++ b/libfaad/sbr_hfadj.c |
| @@ -485,6 +485,12 @@ static void calculate_gain(sbr_info *sbr, sbr_hfadj_info *adj, uint8_t ch) |
| ml1 = sbr->f_table_lim[sbr->bs_limiter_bands][k]; |
| ml2 = sbr->f_table_lim[sbr->bs_limiter_bands][k+1]; |
| |
| + if (ml1 > MAX_M) |
| + ml1 = MAX_M; |
| + |
| + if (ml2 > MAX_M) |
| + ml2 = MAX_M; |
| + |
| |
| /* calculate the accumulated E_orig and E_curr over the limiter band */ |
| for (m = ml1; m < ml2; m++) |
| @@ -949,6 +955,12 @@ static void calculate_gain(sbr_info *sbr, sbr_hfadj_info *adj, uint8_t ch) |
| ml1 = sbr->f_table_lim[sbr->bs_limiter_bands][k]; |
| ml2 = sbr->f_table_lim[sbr->bs_limiter_bands][k+1]; |
| |
| + if (ml1 > MAX_M) |
| + ml1 = MAX_M; |
| + |
| + if (ml2 > MAX_M) |
| + ml2 = MAX_M; |
| + |
| |
| /* calculate the accumulated E_orig and E_curr over the limiter band */ |
| for (m = ml1; m < ml2; m++) |
| @@ -1193,6 +1205,12 @@ static void calculate_gain(sbr_info *sbr, sbr_hfadj_info *adj, uint8_t ch) |
| ml1 = sbr->f_table_lim[sbr->bs_limiter_bands][k]; |
| ml2 = sbr->f_table_lim[sbr->bs_limiter_bands][k+1]; |
| |
| + if (ml1 > MAX_M) |
| + ml1 = MAX_M; |
| + |
| + if (ml2 > MAX_M) |
| + ml2 = MAX_M; |
| + |
| |
| /* calculate the accumulated E_orig and E_curr over the limiter band */ |
| for (m = ml1; m < ml2; m++) |
| -- |
| 2.20.1 |
| |