specrec: better handle unexpected PS
Parametric Stereo (PS) can arrive at any moment in input files. PS
changes the number of output channels and therefore requires more
allocated memory in various structures from hDecoder.
The current faad2 code attempts to perform allocation surgery in
hDecoder to recover from this. This works well when there is only one
frame channel, else it creates large number of memory corruption
issues.
If there is more than one input channel, return cleanly with error
code. It would be nice to handle this, but this is likely to be a lot
of work and is beyond the scope of a security fix.
This commit addresses CVE-2018-20360 and CVE-2018-20199 (fixes #32,
fixes #24).
Hugo Lefeuvre authored 4 years ago
Hugo Lefeuvre committed 4 years ago
914 | 914 | /* element_output_channels not set yet */ |
915 | 915 | hDecoder->element_output_channels[hDecoder->fr_ch_ele] = output_channels; |
916 | 916 | } else if (hDecoder->element_output_channels[hDecoder->fr_ch_ele] != output_channels) { |
917 | /* element inconsistency */ | |
918 | ||
919 | /* this only happens if PS is actually found but not in the first frame | |
917 | /* element inconsistency | |
918 | * this only happens if PS is actually found but not in the first frame | |
920 | 919 | * this means that there is only 1 bitstream element! |
921 | 920 | */ |
922 | 921 | |
923 | /* reset the allocation */ | |
924 | hDecoder->element_alloced[hDecoder->fr_ch_ele] = 0; | |
925 | ||
926 | hDecoder->element_output_channels[hDecoder->fr_ch_ele] = output_channels; | |
927 | ||
928 | //return 21; | |
922 | if (hDecoder->fr_channels == 1) { | |
923 | /* reset the allocation */ | |
924 | hDecoder->element_alloced[hDecoder->fr_ch_ele] = 0; | |
925 | hDecoder->element_output_channels[hDecoder->fr_ch_ele] = output_channels; | |
926 | } else { | |
927 | return 21; | |
928 | } | |
929 | 929 | } |
930 | 930 | |
931 | 931 | if (hDecoder->element_alloced[hDecoder->fr_ch_ele] == 0) |