sbr_hfadj: sanitize frequency band borders
user passed f_table_lim contains frequency band borders. Frequency
bands are groups of consecutive QMF channels. This means that their
bounds, as provided by f_table_lim, should never exceed MAX_M (maximum
number of QMF channels). c.f. ISO/IEC 14496-3:2001
FAAD2 does not verify this, leading to security issues when
processing files defining f_table_lim with values > MAX_M.
This patch sanitizes the values of f_table_lim so that they can be safely
used as index for Q_M_lim and G_lim arrays.
Fixes #21 (CVE-2018-20194).
Hugo Lefeuvre authored 5 years ago
Hugo Lefeuvre committed 5 years ago
484 | 484 | ml1 = sbr->f_table_lim[sbr->bs_limiter_bands][k]; |
485 | 485 | ml2 = sbr->f_table_lim[sbr->bs_limiter_bands][k+1]; |
486 | 486 | |
487 | if (ml1 > MAX_M) | |
488 | ml1 = MAX_M; | |
489 | ||
490 | if (ml2 > MAX_M) | |
491 | ml2 = MAX_M; | |
492 | ||
487 | 493 | |
488 | 494 | /* calculate the accumulated E_orig and E_curr over the limiter band */ |
489 | 495 | for (m = ml1; m < ml2; m++) |
948 | 954 | ml1 = sbr->f_table_lim[sbr->bs_limiter_bands][k]; |
949 | 955 | ml2 = sbr->f_table_lim[sbr->bs_limiter_bands][k+1]; |
950 | 956 | |
957 | if (ml1 > MAX_M) | |
958 | ml1 = MAX_M; | |
959 | ||
960 | if (ml2 > MAX_M) | |
961 | ml2 = MAX_M; | |
962 | ||
951 | 963 | |
952 | 964 | /* calculate the accumulated E_orig and E_curr over the limiter band */ |
953 | 965 | for (m = ml1; m < ml2; m++) |
1191 | 1203 | |
1192 | 1204 | ml1 = sbr->f_table_lim[sbr->bs_limiter_bands][k]; |
1193 | 1205 | ml2 = sbr->f_table_lim[sbr->bs_limiter_bands][k+1]; |
1206 | ||
1207 | if (ml1 > MAX_M) | |
1208 | ml1 = MAX_M; | |
1209 | ||
1210 | if (ml2 > MAX_M) | |
1211 | ml2 = MAX_M; | |
1194 | 1212 | |
1195 | 1213 | |
1196 | 1214 | /* calculate the accumulated E_orig and E_curr over the limiter band */ |