Projects
Essentials
faad2
sbr_hfadj-sanitize-frequency-band-borders.patch
Sign Up
Log In
Username
Password
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File sbr_hfadj-sanitize-frequency-band-borders.patch of Package faad2 (Revision 23)
Currently displaying revision
23
,
Show latest
From 6b4a7cde30f2e2cb03e78ef476cc73179cfffda3 Mon Sep 17 00:00:00 2001 From: Hugo Lefeuvre <hle@debian.org> Date: Thu, 11 Apr 2019 09:34:07 +0200 Subject: [PATCH 10/10] sbr_hfadj: sanitize frequency band borders user passed f_table_lim contains frequency band borders. Frequency bands are groups of consecutive QMF channels. This means that their bounds, as provided by f_table_lim, should never exceed MAX_M (maximum number of QMF channels). c.f. ISO/IEC 14496-3:2001 FAAD2 does not verify this, leading to security issues when processing files defining f_table_lim with values > MAX_M. This patch sanitizes the values of f_table_lim so that they can be safely used as index for Q_M_lim and G_lim arrays. Fixes #21 (CVE-2018-20194). --- libfaad/sbr_hfadj.c | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/libfaad/sbr_hfadj.c b/libfaad/sbr_hfadj.c index 3f310b8..dda1ce8 100644 --- a/libfaad/sbr_hfadj.c +++ b/libfaad/sbr_hfadj.c @@ -485,6 +485,12 @@ static void calculate_gain(sbr_info *sbr, sbr_hfadj_info *adj, uint8_t ch) ml1 = sbr->f_table_lim[sbr->bs_limiter_bands][k]; ml2 = sbr->f_table_lim[sbr->bs_limiter_bands][k+1]; + if (ml1 > MAX_M) + ml1 = MAX_M; + + if (ml2 > MAX_M) + ml2 = MAX_M; + /* calculate the accumulated E_orig and E_curr over the limiter band */ for (m = ml1; m < ml2; m++) @@ -949,6 +955,12 @@ static void calculate_gain(sbr_info *sbr, sbr_hfadj_info *adj, uint8_t ch) ml1 = sbr->f_table_lim[sbr->bs_limiter_bands][k]; ml2 = sbr->f_table_lim[sbr->bs_limiter_bands][k+1]; + if (ml1 > MAX_M) + ml1 = MAX_M; + + if (ml2 > MAX_M) + ml2 = MAX_M; + /* calculate the accumulated E_orig and E_curr over the limiter band */ for (m = ml1; m < ml2; m++) @@ -1193,6 +1205,12 @@ static void calculate_gain(sbr_info *sbr, sbr_hfadj_info *adj, uint8_t ch) ml1 = sbr->f_table_lim[sbr->bs_limiter_bands][k]; ml2 = sbr->f_table_lim[sbr->bs_limiter_bands][k+1]; + if (ml1 > MAX_M) + ml1 = MAX_M; + + if (ml2 > MAX_M) + ml2 = MAX_M; + /* calculate the accumulated E_orig and E_curr over the limiter band */ for (m = ml1; m < ml2; m++) -- 2.20.1
Locations
Projects
Search
Status Monitor
Help
Open Build Service
OBS Manuals
API Documentation
OBS Portal
Reporting a Bug
Contact
Mailing List
Forums
Chat (IRC)
Twitter
Open Build Service (OBS)
is an
openSUSE project
.