ref: a8dc3f8ce67f4069cfa4d5cf0fcc2c6e8ef2c2aa
parent: 7da4a83b230d069a9d731b1e64f6e6b52802576a
parent: 6b4a7cde30f2e2cb03e78ef476cc73179cfffda3
author: Fabian Greffrath <fabian@greffrath.com>
date: Thu Apr 11 08:05:12 EDT 2019
Merge pull request #33 from hlef/master CVE-2018-20194 / CVE-2018-20362 fixes
--- a/libfaad/sbr_hfadj.c
+++ b/libfaad/sbr_hfadj.c
@@ -485,7 +485,13 @@
ml1 = sbr->f_table_lim[sbr->bs_limiter_bands][k];
ml2 = sbr->f_table_lim[sbr->bs_limiter_bands][k+1];
+ if (ml1 > MAX_M)
+ ml1 = MAX_M;
+ if (ml2 > MAX_M)
+ ml2 = MAX_M;
+
+
/* calculate the accumulated E_orig and E_curr over the limiter band */
for (m = ml1; m < ml2; m++)
{@@ -949,7 +955,13 @@
ml1 = sbr->f_table_lim[sbr->bs_limiter_bands][k];
ml2 = sbr->f_table_lim[sbr->bs_limiter_bands][k+1];
+ if (ml1 > MAX_M)
+ ml1 = MAX_M;
+ if (ml2 > MAX_M)
+ ml2 = MAX_M;
+
+
/* calculate the accumulated E_orig and E_curr over the limiter band */
for (m = ml1; m < ml2; m++)
{@@ -1192,6 +1204,12 @@
ml1 = sbr->f_table_lim[sbr->bs_limiter_bands][k];
ml2 = sbr->f_table_lim[sbr->bs_limiter_bands][k+1];
+
+ if (ml1 > MAX_M)
+ ml1 = MAX_M;
+
+ if (ml2 > MAX_M)
+ ml2 = MAX_M;
/* calculate the accumulated E_orig and E_curr over the limiter band */
--- a/libfaad/syntax.c
+++ b/libfaad/syntax.c
@@ -344,6 +344,12 @@
can become 2 when some form of Parametric Stereo coding is used
*/
+ if (hDecoder->frame && hDecoder->element_id[hDecoder->fr_ch_ele] != id_syn_ele) {+ /* element inconsistency */
+ hInfo->error = 21;
+ return;
+ }
+
/* save the syntax element id */
hDecoder->element_id[hDecoder->fr_ch_ele] = id_syn_ele;
@@ -390,6 +396,12 @@
/* element_output_channels not set yet */
hDecoder->element_output_channels[hDecoder->fr_ch_ele] = 2;
} else if (hDecoder->element_output_channels[hDecoder->fr_ch_ele] != 2) {+ /* element inconsistency */
+ hInfo->error = 21;
+ return;
+ }
+
+ if (hDecoder->frame && hDecoder->element_id[hDecoder->fr_ch_ele] != id_syn_ele) {/* element inconsistency */
hInfo->error = 21;
return;