sbr_fbt: sbr->M should not exceed MAX_M
sbr->M is set by derived_frequency_table() from user-passed input
without checking for > MAX_M.
This leads to out-of-bounds accesses later, crashes and potential
security relevant issues. It should be considered a fatal error for
the SBR block.
return error code if sbr->M > MAX_M.
also, in some cases sbr_extension_data() ignores the return value of
calc_sbr_tables, probably assuming that sbr is always valid. It should
almost certainly not do that.
fixes #19 (CVE-2018-20196).
Hugo Lefeuvre authored 4 years ago
Hugo Lefeuvre committed 4 years ago
525 | 525 |
}
|
526 | 526 |
|
527 | 527 |
sbr->M = sbr->f_table_res[HI_RES][sbr->N_high] - sbr->f_table_res[HI_RES][0];
|
|
528 |
if (sbr->M > MAX_M)
|
|
529 |
return 1;
|
528 | 530 |
sbr->kx = sbr->f_table_res[HI_RES][0];
|
529 | 531 |
if (sbr->kx > 32)
|
530 | 532 |
return 1;
|
195 | 195 |
/* if an error occured with the new header values revert to the old ones */
|
196 | 196 |
if (rt > 0)
|
197 | 197 |
{
|
198 | |
calc_sbr_tables(sbr, saved_start_freq, saved_stop_freq,
|
|
198 |
result += calc_sbr_tables(sbr, saved_start_freq, saved_stop_freq,
|
199 | 199 |
saved_samplerate_mode, saved_freq_scale,
|
200 | 200 |
saved_alter_scale, saved_xover_band);
|
201 | 201 |
}
|
|
214 | 214 |
if ((result > 0) &&
|
215 | 215 |
(sbr->Reset || (sbr->bs_header_flag && sbr->just_seeked)))
|
216 | 216 |
{
|
217 | |
calc_sbr_tables(sbr, saved_start_freq, saved_stop_freq,
|
|
217 |
result += calc_sbr_tables(sbr, saved_start_freq, saved_stop_freq,
|
218 | 218 |
saved_samplerate_mode, saved_freq_scale,
|
219 | 219 |
saved_alter_scale, saved_xover_band);
|
220 | 220 |
}
|