ref: 6823e6610c9af1b0080cb22b9da03efb208d7d57
parent: 3b80a57483a6bc822d3ce3cc640fa81737a87c54
author: Hugo Lefeuvre <hle@debian.org>
date: Fri Aug 23 04:08:19 EDT 2019
ps_dec: sanitize iid_index before mixing index range is supposed to be withing -7 and 7 or -15 and 15 depending on iid_mode (see Table 8.24, ISO/IEC 14496-3:2005). Indexes outside these boundaries are likely to be errors and should be sanitized to avoid memory corruption. Replace any index under -no_iid_steps (-7 or -15 depending on iid_mode) by -no_iid_steps. Replace any index above no_iid_steps by no_iid_steps. Try to process further. This commit addresses CVE-2019-6956 (fixes #39).
--- a/libfaad/ps_dec.c
+++ b/libfaad/ps_dec.c
@@ -1508,6 +1508,20 @@
//printf("%d\n", ps->iid_index[env][bk]);+ /* index range is supposed to be -7...7 or -15...15 depending on iid_mode
+ (Table 8.24, ISO/IEC 14496-3:2005).
+ if it is outside these boundaries, this is most likely an error. sanitize
+ it and try to process further. */
+ if (ps->iid_index[env][bk] < -no_iid_steps) {+ fprintf(stderr, "Warning: invalid iid_index: %d < %d\n", ps->iid_index[env][bk],
+ -no_iid_steps);
+ ps->iid_index[env][bk] = -no_iid_steps;
+ } else if (ps->iid_index[env][bk] > no_iid_steps) {+ fprintf(stderr, "Warning: invalid iid_index: %d > %d\n", ps->iid_index[env][bk],
+ no_iid_steps);
+ ps->iid_index[env][bk] = no_iid_steps;
+ }
+
/* calculate the scalefactors c_1 and c_2 from the intensity differences */
c_1 = sf_iid[no_iid_steps + ps->iid_index[env][bk]];
c_2 = sf_iid[no_iid_steps - ps->iid_index[env][bk]];