kumquat-buildroot/package/faad2/0003-Fix-a-couple-buffer-overflows.patch
Baruch Siach 90c114911f package/faad2: add upstream security fixes
CVE-2018-20194: Stack buffer overflow on invalid input

CVE-2018-20362: Null pointer dereference when processing crafted AAC
input

Add two more crash fixes from upstream.

Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit 7f4dde3318)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-07-07 08:43:21 +02:00

51 lines
1.6 KiB
Diff

From 942c3e0aee748ea6fe97cb2c1aa5893225316174 Mon Sep 17 00:00:00 2001
From: Fabian Greffrath <fabian@greffrath.com>
Date: Mon, 10 Jun 2019 13:58:40 +0200
Subject: [PATCH] Fix a couple buffer overflows
https://hackerone.com/reports/502816
https://hackerone.com/reports/507858
https://github.com/videolan/vlc/blob/master/contrib/src/faad2/faad2-fix-overflows.patch
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
---
Upstream status: commit 942c3e0aee748ea6
libfaad/bits.c | 5 ++++-
libfaad/syntax.c | 2 ++
2 files changed, 6 insertions(+), 1 deletion(-)
diff --git a/libfaad/bits.c b/libfaad/bits.c
index dc14d7a03952..4c0de24a5d9c 100644
--- a/libfaad/bits.c
+++ b/libfaad/bits.c
@@ -167,7 +167,10 @@ void faad_resetbits(bitfile *ld, int bits)
int words = bits >> 5;
int remainder = bits & 0x1F;
- ld->bytes_left = ld->buffer_size - words*4;
+ if (ld->buffer_size < words * 4)
+ ld->bytes_left = 0;
+ else
+ ld->bytes_left = ld->buffer_size - words*4;
if (ld->bytes_left >= 4)
{
diff --git a/libfaad/syntax.c b/libfaad/syntax.c
index e7fb11381e46..c9925435dbd0 100644
--- a/libfaad/syntax.c
+++ b/libfaad/syntax.c
@@ -2304,6 +2304,8 @@ static uint8_t excluded_channels(bitfile *ld, drc_info *drc)
while ((drc->additional_excluded_chns[n-1] = faad_get1bit(ld
DEBUGVAR(1,104,"excluded_channels(): additional_excluded_chns"))) == 1)
{
+ if (i >= MAX_CHANNELS - num_excl_chan - 7)
+ return n;
for (i = num_excl_chan; i < num_excl_chan+7; i++)
{
drc->exclude_mask[i] = faad_get1bit(ld
--
2.20.1