90c114911f
CVE-2018-20194: Stack buffer overflow on invalid input
CVE-2018-20362: Null pointer dereference when processing crafted AAC
input
Add two more crash fixes from upstream.
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit 7f4dde3318
)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
55 lines
2.0 KiB
Diff
55 lines
2.0 KiB
Diff
From f1f8e002622196de3aa650163e5dc2888ebc7a63 Mon Sep 17 00:00:00 2001
|
|
From: Fabian Greffrath <fabian@greffrath.com>
|
|
Date: Mon, 10 Jun 2019 13:59:49 +0200
|
|
Subject: [PATCH] add patch to prevent crash on SCE followed by CPE
|
|
|
|
hDecoder->element_alloced denotes whether or not we have allocated memory for
|
|
usage in terms of the specified channel element. Given that it previously only
|
|
had two states (1 meaning allocated, and 0 meaning not allocated), it would not
|
|
allocate enough memory for parsing a CPE it if is preceeded by a SCE (and
|
|
therefor crash).
|
|
|
|
These changes fixes the issue by making sure that we allocate additional memory
|
|
if so is necessary, and the set of values for hDecoder->element_alloced[n] is
|
|
now:
|
|
|
|
0 = nothing allocated
|
|
1 = allocated enough for SCE
|
|
2 = allocated enough for CPE
|
|
|
|
All branches that depend on hDecoder->element_alloced[n] prior to this patch
|
|
only checks if the value is, or is not, zero. The added state, 2, is therefor
|
|
correctly handled automatically.
|
|
|
|
https://github.com/videolan/vlc/blob/master/contrib/src/faad2/faad2-fix-cpe-reconstruction.patch
|
|
|
|
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
|
|
---
|
|
Upstream status: commit f1f8e002622196d
|
|
libfaad/specrec.c | 4 ++--
|
|
1 file changed, 2 insertions(+), 2 deletions(-)
|
|
|
|
diff --git a/libfaad/specrec.c b/libfaad/specrec.c
|
|
index 9797d6e79468..0e72207fc9c0 100644
|
|
--- a/libfaad/specrec.c
|
|
+++ b/libfaad/specrec.c
|
|
@@ -1109,13 +1109,13 @@ uint8_t reconstruct_channel_pair(NeAACDecStruct *hDecoder, ic_stream *ics1, ic_s
|
|
#ifdef PROFILE
|
|
int64_t count = faad_get_ts();
|
|
#endif
|
|
- if (hDecoder->element_alloced[hDecoder->fr_ch_ele] == 0)
|
|
+ if (hDecoder->element_alloced[hDecoder->fr_ch_ele] != 2)
|
|
{
|
|
retval = allocate_channel_pair(hDecoder, cpe->channel, (uint8_t)cpe->paired_channel);
|
|
if (retval > 0)
|
|
return retval;
|
|
|
|
- hDecoder->element_alloced[hDecoder->fr_ch_ele] = 1;
|
|
+ hDecoder->element_alloced[hDecoder->fr_ch_ele] = 2;
|
|
}
|
|
|
|
/* dequantisation and scaling */
|
|
--
|
|
2.20.1
|
|
|