aboutsummaryrefslogtreecommitdiff
path: root/package/faad2/0002-sbr_hfadj-sanitize-frequency-band-borders.patch
diff options
context:
space:
mode:
Diffstat (limited to 'package/faad2/0002-sbr_hfadj-sanitize-frequency-band-borders.patch')
-rw-r--r--package/faad2/0002-sbr_hfadj-sanitize-frequency-band-borders.patch71
1 files changed, 71 insertions, 0 deletions
diff --git a/package/faad2/0002-sbr_hfadj-sanitize-frequency-band-borders.patch b/package/faad2/0002-sbr_hfadj-sanitize-frequency-band-borders.patch
new file mode 100644
index 0000000000..9c580f9339
--- /dev/null
+++ b/package/faad2/0002-sbr_hfadj-sanitize-frequency-band-borders.patch
@@ -0,0 +1,71 @@
+From 6b4a7cde30f2e2cb03e78ef476cc73179cfffda3 Mon Sep 17 00:00:00 2001
+From: Hugo Lefeuvre <hle@debian.org>
+Date: Thu, 11 Apr 2019 09:34:07 +0200
+Subject: [PATCH] sbr_hfadj: sanitize frequency band borders
+
+user passed f_table_lim contains frequency band borders. Frequency
+bands are groups of consecutive QMF channels. This means that their
+bounds, as provided by f_table_lim, should never exceed MAX_M (maximum
+number of QMF channels). c.f. ISO/IEC 14496-3:2001
+
+FAAD2 does not verify this, leading to security issues when
+processing files defining f_table_lim with values > MAX_M.
+
+This patch sanitizes the values of f_table_lim so that they can be safely
+used as index for Q_M_lim and G_lim arrays.
+
+Fixes #21 (CVE-2018-20194).
+
+Signed-off-by: Baruch Siach <baruch@tkos.co.il>
+---
+Upstream status: commit 6b4a7cde30f2e
+
+ libfaad/sbr_hfadj.c | 18 ++++++++++++++++++
+ 1 file changed, 18 insertions(+)
+
+diff --git a/libfaad/sbr_hfadj.c b/libfaad/sbr_hfadj.c
+index 3f310b8190d7..dda1ce8e249b 100644
+--- a/libfaad/sbr_hfadj.c
++++ b/libfaad/sbr_hfadj.c
+@@ -485,6 +485,12 @@ static void calculate_gain(sbr_info *sbr, sbr_hfadj_info *adj, uint8_t ch)
+ ml1 = sbr->f_table_lim[sbr->bs_limiter_bands][k];
+ ml2 = sbr->f_table_lim[sbr->bs_limiter_bands][k+1];
+
++ if (ml1 > MAX_M)
++ ml1 = MAX_M;
++
++ if (ml2 > MAX_M)
++ ml2 = MAX_M;
++
+
+ /* calculate the accumulated E_orig and E_curr over the limiter band */
+ for (m = ml1; m < ml2; m++)
+@@ -949,6 +955,12 @@ static void calculate_gain(sbr_info *sbr, sbr_hfadj_info *adj, uint8_t ch)
+ ml1 = sbr->f_table_lim[sbr->bs_limiter_bands][k];
+ ml2 = sbr->f_table_lim[sbr->bs_limiter_bands][k+1];
+
++ if (ml1 > MAX_M)
++ ml1 = MAX_M;
++
++ if (ml2 > MAX_M)
++ ml2 = MAX_M;
++
+
+ /* calculate the accumulated E_orig and E_curr over the limiter band */
+ for (m = ml1; m < ml2; m++)
+@@ -1193,6 +1205,12 @@ static void calculate_gain(sbr_info *sbr, sbr_hfadj_info *adj, uint8_t ch)
+ ml1 = sbr->f_table_lim[sbr->bs_limiter_bands][k];
+ ml2 = sbr->f_table_lim[sbr->bs_limiter_bands][k+1];
+
++ if (ml1 > MAX_M)
++ ml1 = MAX_M;
++
++ if (ml2 > MAX_M)
++ ml2 = MAX_M;
++
+
+ /* calculate the accumulated E_orig and E_curr over the limiter band */
+ for (m = ml1; m < ml2; m++)
+--
+2.20.1
+