aboutsummaryrefslogtreecommitdiff
path: root/package/faad2/0003-Fix-a-couple-buffer-overflows.patch
blob: 6ae760877132cd725da364d5e194b60313e72531 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
From 942c3e0aee748ea6fe97cb2c1aa5893225316174 Mon Sep 17 00:00:00 2001
From: Fabian Greffrath <fabian@greffrath.com>
Date: Mon, 10 Jun 2019 13:58:40 +0200
Subject: [PATCH] Fix a couple buffer overflows

https://hackerone.com/reports/502816
https://hackerone.com/reports/507858

https://github.com/videolan/vlc/blob/master/contrib/src/faad2/faad2-fix-overflows.patch

Signed-off-by: Baruch Siach <baruch@tkos.co.il>
---
Upstream status: commit 942c3e0aee748ea6

 libfaad/bits.c   | 5 ++++-
 libfaad/syntax.c | 2 ++
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/libfaad/bits.c b/libfaad/bits.c
index dc14d7a03952..4c0de24a5d9c 100644
--- a/libfaad/bits.c
+++ b/libfaad/bits.c
@@ -167,7 +167,10 @@ void faad_resetbits(bitfile *ld, int bits)
     int words = bits >> 5;
     int remainder = bits & 0x1F;
 
-    ld->bytes_left = ld->buffer_size - words*4;
+    if (ld->buffer_size < words * 4)
+        ld->bytes_left = 0;
+    else
+        ld->bytes_left = ld->buffer_size - words*4;
 
     if (ld->bytes_left >= 4)
     {
diff --git a/libfaad/syntax.c b/libfaad/syntax.c
index e7fb11381e46..c9925435dbd0 100644
--- a/libfaad/syntax.c
+++ b/libfaad/syntax.c
@@ -2304,6 +2304,8 @@ static uint8_t excluded_channels(bitfile *ld, drc_info *drc)
     while ((drc->additional_excluded_chns[n-1] = faad_get1bit(ld
         DEBUGVAR(1,104,"excluded_channels(): additional_excluded_chns"))) == 1)
     {
+        if (i >= MAX_CHANNELS - num_excl_chan - 7)
+            return n;
         for (i = num_excl_chan; i < num_excl_chan+7; i++)
         {
             drc->exclude_mask[i] = faad_get1bit(ld
-- 
2.20.1