Commit 6b4a7cde30f2e2cb03e78ef476cc73179cfffda3 - faad2

sbr_hfadj: sanitize frequency band borders user passed f_table_lim contains frequency band borders. Frequency bands are groups of consecutive QMF channels. This means that their bounds, as provided by f_table_lim, should never exceed MAX_M (maximum number of QMF channels). c.f. ISO/IEC 14496-3:2001 FAAD2 does not verify this, leading to security issues when processing files defining f_table_lim with values > MAX_M. This patch sanitizes the values of f_table_lim so that they can be safely used as index for Q_M_lim and G_lim arrays. Fixes #21 (CVE-2018-20194). Hugo Lefeuvre authored 5 years ago Hugo Lefeuvre committed 5 years ago

1 changed file(s) with 18 addition(s) and 0 deletion(s). Raw diff Collapse all Expand all

+18

-0

libfaad/sbr_hfadj.c less more

484	484	ml1 = sbr->f_table_lim[sbr->bs_limiter_bands][k];
485	485	ml2 = sbr->f_table_lim[sbr->bs_limiter_bands][k+1];
486	486
	487	if (ml1 > MAX_M)
	488	ml1 = MAX_M;
	489
	490	if (ml2 > MAX_M)
	491	ml2 = MAX_M;
	492
487	493
488	494	/* calculate the accumulated E_orig and E_curr over the limiter band */
489	495	for (m = ml1; m < ml2; m++)

948	954	ml1 = sbr->f_table_lim[sbr->bs_limiter_bands][k];
949	955	ml2 = sbr->f_table_lim[sbr->bs_limiter_bands][k+1];
950	956
	957	if (ml1 > MAX_M)
	958	ml1 = MAX_M;
	959
	960	if (ml2 > MAX_M)
	961	ml2 = MAX_M;
	962
951	963
952	964	/* calculate the accumulated E_orig and E_curr over the limiter band */
953	965	for (m = ml1; m < ml2; m++)

1191	1203
1192	1204	ml1 = sbr->f_table_lim[sbr->bs_limiter_bands][k];
1193	1205	ml2 = sbr->f_table_lim[sbr->bs_limiter_bands][k+1];
	1206
	1207	if (ml1 > MAX_M)
	1208	ml1 = MAX_M;
	1209
	1210	if (ml2 > MAX_M)
	1211	ml2 = MAX_M;
1194	1212
1195	1213
1196	1214	/* calculate the accumulated E_orig and E_curr over the limiter band */