Codebase list faad2 / 6aeeaa1
sbr_fbt: sbr->M should not exceed MAX_M sbr->M is set by derived_frequency_table() from user-passed input without checking for > MAX_M. This leads to out-of-bounds accesses later, crashes and potential security relevant issues. It should be considered a fatal error for the SBR block. return error code if sbr->M > MAX_M. also, in some cases sbr_extension_data() ignores the return value of calc_sbr_tables, probably assuming that sbr is always valid. It should almost certainly not do that. fixes #19 (CVE-2018-20196). Hugo Lefeuvre authored 4 years ago Hugo Lefeuvre committed 4 years ago
2 changed file(s) with 4 addition(s) and 2 deletion(s). Raw diff Collapse all Expand all
525525 }
526526
527527 sbr->M = sbr->f_table_res[HI_RES][sbr->N_high] - sbr->f_table_res[HI_RES][0];
528 if (sbr->M > MAX_M)
529 return 1;
528530 sbr->kx = sbr->f_table_res[HI_RES][0];
529531 if (sbr->kx > 32)
530532 return 1;
195195 /* if an error occured with the new header values revert to the old ones */
196196 if (rt > 0)
197197 {
198 calc_sbr_tables(sbr, saved_start_freq, saved_stop_freq,
198 result += calc_sbr_tables(sbr, saved_start_freq, saved_stop_freq,
199199 saved_samplerate_mode, saved_freq_scale,
200200 saved_alter_scale, saved_xover_band);
201201 }
214214 if ((result > 0) &&
215215 (sbr->Reset || (sbr->bs_header_flag && sbr->just_seeked)))
216216 {
217 calc_sbr_tables(sbr, saved_start_freq, saved_stop_freq,
217 result += calc_sbr_tables(sbr, saved_start_freq, saved_stop_freq,
218218 saved_samplerate_mode, saved_freq_scale,
219219 saved_alter_scale, saved_xover_band);
220220 }