90c114911f
CVE-2018-20194: Stack buffer overflow on invalid input
CVE-2018-20362: Null pointer dereference when processing crafted AAC
input
Add two more crash fixes from upstream.
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit 7f4dde3318
)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
51 lines
1.6 KiB
Diff
51 lines
1.6 KiB
Diff
From 942c3e0aee748ea6fe97cb2c1aa5893225316174 Mon Sep 17 00:00:00 2001
|
|
From: Fabian Greffrath <fabian@greffrath.com>
|
|
Date: Mon, 10 Jun 2019 13:58:40 +0200
|
|
Subject: [PATCH] Fix a couple buffer overflows
|
|
|
|
https://hackerone.com/reports/502816
|
|
https://hackerone.com/reports/507858
|
|
|
|
https://github.com/videolan/vlc/blob/master/contrib/src/faad2/faad2-fix-overflows.patch
|
|
|
|
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
|
|
---
|
|
Upstream status: commit 942c3e0aee748ea6
|
|
|
|
libfaad/bits.c | 5 ++++-
|
|
libfaad/syntax.c | 2 ++
|
|
2 files changed, 6 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/libfaad/bits.c b/libfaad/bits.c
|
|
index dc14d7a03952..4c0de24a5d9c 100644
|
|
--- a/libfaad/bits.c
|
|
+++ b/libfaad/bits.c
|
|
@@ -167,7 +167,10 @@ void faad_resetbits(bitfile *ld, int bits)
|
|
int words = bits >> 5;
|
|
int remainder = bits & 0x1F;
|
|
|
|
- ld->bytes_left = ld->buffer_size - words*4;
|
|
+ if (ld->buffer_size < words * 4)
|
|
+ ld->bytes_left = 0;
|
|
+ else
|
|
+ ld->bytes_left = ld->buffer_size - words*4;
|
|
|
|
if (ld->bytes_left >= 4)
|
|
{
|
|
diff --git a/libfaad/syntax.c b/libfaad/syntax.c
|
|
index e7fb11381e46..c9925435dbd0 100644
|
|
--- a/libfaad/syntax.c
|
|
+++ b/libfaad/syntax.c
|
|
@@ -2304,6 +2304,8 @@ static uint8_t excluded_channels(bitfile *ld, drc_info *drc)
|
|
while ((drc->additional_excluded_chns[n-1] = faad_get1bit(ld
|
|
DEBUGVAR(1,104,"excluded_channels(): additional_excluded_chns"))) == 1)
|
|
{
|
|
+ if (i >= MAX_CHANNELS - num_excl_chan - 7)
|
|
+ return n;
|
|
for (i = num_excl_chan; i < num_excl_chan+7; i++)
|
|
{
|
|
drc->exclude_mask[i] = faad_get1bit(ld
|
|
--
|
|
2.20.1
|
|
|