summaryrefslogtreecommitdiff
path: root/audio/faad2/patches/patch-CVE-2018-20194
diff options
context:
space:
mode:
Diffstat (limited to 'audio/faad2/patches/patch-CVE-2018-20194')
-rw-r--r--audio/faad2/patches/patch-CVE-2018-2019459
1 files changed, 59 insertions, 0 deletions
diff --git a/audio/faad2/patches/patch-CVE-2018-20194 b/audio/faad2/patches/patch-CVE-2018-20194
new file mode 100644
index 00000000000..689bc98fe3d
--- /dev/null
+++ b/audio/faad2/patches/patch-CVE-2018-20194
@@ -0,0 +1,59 @@
+$NetBSD: patch-CVE-2018-20194,v 1.1.2.2 2019/07/13 11:12:03 bsiegert Exp $
+
+user passed f_table_lim contains frequency band borders. Frequency
+bands are groups of consecutive QMF channels. This means that their
+bounds, as provided by f_table_lim, should never exceed MAX_M (maximum
+number of QMF channels). c.f. ISO/IEC 14496-3:2001
+
+FAAD2 does not verify this, leading to security issues when
+processing files defining f_table_lim with values > MAX_M.
+
+This patch sanitizes the values of f_table_lim so that they can be safely
+used as index for Q_M_lim and G_lim arrays.
+
+Fixes CVE-2018-20194.
+
+Upstream commit:
+https://github.com/knik0/faad2/commit/6b4a7cde30f2e2cb03e78ef476cc73179cfffda3.patch
+
+--- libfaad/sbr_hfadj.c.orig 2017-07-06 19:16:40.000000000 +0000
++++ libfaad/sbr_hfadj.c
+@@ -485,6 +485,12 @@ static void calculate_gain(sbr_info *sbr
+ ml1 = sbr->f_table_lim[sbr->bs_limiter_bands][k];
+ ml2 = sbr->f_table_lim[sbr->bs_limiter_bands][k+1];
+
++ if (ml1 > MAX_M)
++ ml1 = MAX_M;
++
++ if (ml2 > MAX_M)
++ ml2 = MAX_M;
++
+
+ /* calculate the accumulated E_orig and E_curr over the limiter band */
+ for (m = ml1; m < ml2; m++)
+@@ -949,6 +955,12 @@ static void calculate_gain(sbr_info *sbr
+ ml1 = sbr->f_table_lim[sbr->bs_limiter_bands][k];
+ ml2 = sbr->f_table_lim[sbr->bs_limiter_bands][k+1];
+
++ if (ml1 > MAX_M)
++ ml1 = MAX_M;
++
++ if (ml2 > MAX_M)
++ ml2 = MAX_M;
++
+
+ /* calculate the accumulated E_orig and E_curr over the limiter band */
+ for (m = ml1; m < ml2; m++)
+@@ -1193,6 +1205,12 @@ static void calculate_gain(sbr_info *sbr
+ ml1 = sbr->f_table_lim[sbr->bs_limiter_bands][k];
+ ml2 = sbr->f_table_lim[sbr->bs_limiter_bands][k+1];
+
++ if (ml1 > MAX_M)
++ ml1 = MAX_M;
++
++ if (ml2 > MAX_M)
++ ml2 = MAX_M;
++
+
+ /* calculate the accumulated E_orig and E_curr over the limiter band */
+ for (m = ml1; m < ml2; m++)
generated by cgit v1.2.3 (git 2.39.1) at 2024-06-02 15:05:12 +0000