NetCube-Systems-Austria/kumquat-buildroot
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
edd44d34ae
kumquat-buildroot/package/faad2/0001-syntax.c-check-for-syntax-element-inconsistencies.patch
Baruch Siach 7f4dde3318 package/faad2: add upstream security fixes 
CVE-2018-20194: Stack buffer overflow on invalid input

CVE-2018-20362: Null pointer dereference when processing crafted AAC
input

Add two more crash fixes from upstream.

Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
2019-07-04 00:02:46 +02:00

65 lines
2.1 KiB
Diff
Raw Blame History

From 466b01d504d7e45f1e9169ac90b3e34ab94aed14 Mon Sep 17 00:00:00 2001
From: Hugo Lefeuvre <hle@debian.org>
Date: Mon, 25 Feb 2019 10:49:03 +0100
Subject: [PATCH] syntax.c: check for syntax element inconsistencies
Implicit channel mapping reconfiguration is explicitely forbidden by
ISO/IEC 13818-7:2006 (8.5.3.3). Decoders should be able to detect such
files and reject them. FAAD2 does not perform any kind of checks
regarding this.
This leads to security vulnerabilities when processing crafted AAC
files performing such reconfigurations.
Add checks to decode_sce_lfe and decode_cpe to make sure such
inconsistencies are detected as early as possible.
These checks first read hDecoder->frame: if this is not the first
frame then we make sure that the syntax element at the same position
in the previous frame also had element_id id_syn_ele. If not, return
21 as this is a fatal file structure issue.
This patch addresses CVE-2018-20362 (fixes #26) and possibly other
related issues.
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
---
Upstream status: commit 466b01d504d7
libfaad/syntax.c | 12 ++++++++++++
1 file changed, 12 insertions(+)
diff --git a/libfaad/syntax.c b/libfaad/syntax.c
index f8e808c269c0..e7fb11381e46 100644
--- a/libfaad/syntax.c
+++ b/libfaad/syntax.c
@@ -344,6 +344,12 @@ static void decode_sce_lfe(NeAACDecStruct *hDecoder,
can become 2 when some form of Parametric Stereo coding is used
*/
+ if (hDecoder->frame && hDecoder->element_id[hDecoder->fr_ch_ele] != id_syn_ele) {
+ /* element inconsistency */
+ hInfo->error = 21;
+ return;
+ }
+
/* save the syntax element id */
hDecoder->element_id[hDecoder->fr_ch_ele] = id_syn_ele;
@@ -395,6 +401,12 @@ static void decode_cpe(NeAACDecStruct *hDecoder, NeAACDecFrameInfo *hInfo, bitfi
return;
}
+ if (hDecoder->frame && hDecoder->element_id[hDecoder->fr_ch_ele] != id_syn_ele) {
+ /* element inconsistency */
+ hInfo->error = 21;
+ return;
+ }
+
/* save the syntax element id */
hDecoder->element_id[hDecoder->fr_ch_ele] = id_syn_ele;
--
2.20.1
Reference in New Issue View Git Blame Copy Permalink