kumquat-buildroot/package/faad2/0004-add-patch-to-prevent-crash-on-SCE-followed-by-CPE.patch
Baruch Siach 90c114911f package/faad2: add upstream security fixes
CVE-2018-20194: Stack buffer overflow on invalid input

CVE-2018-20362: Null pointer dereference when processing crafted AAC
input

Add two more crash fixes from upstream.

Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit 7f4dde3318)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-07-07 08:43:21 +02:00

55 lines
2.0 KiB
Diff

From f1f8e002622196de3aa650163e5dc2888ebc7a63 Mon Sep 17 00:00:00 2001
From: Fabian Greffrath <fabian@greffrath.com>
Date: Mon, 10 Jun 2019 13:59:49 +0200
Subject: [PATCH] add patch to prevent crash on SCE followed by CPE
hDecoder->element_alloced denotes whether or not we have allocated memory for
usage in terms of the specified channel element. Given that it previously only
had two states (1 meaning allocated, and 0 meaning not allocated), it would not
allocate enough memory for parsing a CPE it if is preceeded by a SCE (and
therefor crash).
These changes fixes the issue by making sure that we allocate additional memory
if so is necessary, and the set of values for hDecoder->element_alloced[n] is
now:
0 = nothing allocated
1 = allocated enough for SCE
2 = allocated enough for CPE
All branches that depend on hDecoder->element_alloced[n] prior to this patch
only checks if the value is, or is not, zero. The added state, 2, is therefor
correctly handled automatically.
https://github.com/videolan/vlc/blob/master/contrib/src/faad2/faad2-fix-cpe-reconstruction.patch
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
---
Upstream status: commit f1f8e002622196d
libfaad/specrec.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/libfaad/specrec.c b/libfaad/specrec.c
index 9797d6e79468..0e72207fc9c0 100644
--- a/libfaad/specrec.c
+++ b/libfaad/specrec.c
@@ -1109,13 +1109,13 @@ uint8_t reconstruct_channel_pair(NeAACDecStruct *hDecoder, ic_stream *ics1, ic_s
#ifdef PROFILE
int64_t count = faad_get_ts();
#endif
- if (hDecoder->element_alloced[hDecoder->fr_ch_ele] == 0)
+ if (hDecoder->element_alloced[hDecoder->fr_ch_ele] != 2)
{
retval = allocate_channel_pair(hDecoder, cpe->channel, (uint8_t)cpe->paired_channel);
if (retval > 0)
return retval;
- hDecoder->element_alloced[hDecoder->fr_ch_ele] = 1;
+ hDecoder->element_alloced[hDecoder->fr_ch_ele] = 2;
}
/* dequantisation and scaling */
--
2.20.1