shithub: aacdec

Download patch

ref: 19b81b0cb9c82430a01c4806543a580d3b656dd0
parent: 920ec985a74c6f88fe507181df07a0cd7e51d519
parent: 6aeeaa1af0caf986daf22852a97f7c13c5edd879
author: Fabian Greffrath <fabian@greffrath.com>
date: Mon Aug 19 10:52:05 EDT 2019 

Merge pull request #36 from hlef/master

mp4read/sbr_fbt: security bug fixes


--- a/frontend/main.c
+++ b/frontend/main.c
@@ -915,6 +915,11 @@
 
         sample_buffer = NeAACDecDecode(hDecoder, &frameInfo, mp4config.bitbuf.data, mp4config.bitbuf.size);
 
+        if (!sample_buffer) {
+            /* unable to decode file, abort */
+            break;
+        }
+
         if (adts_out == 1)
         {
             adtsData = MakeAdtsHeader(&adtsDataSize, &frameInfo, 0);
@@ -1365,4 +1370,4 @@
 #else
     return faad_main(argc, argv);
 #endif
-}
\ No newline at end of file
+}
--- a/frontend/mp4read.c
+++ b/frontend/mp4read.c
@@ -797,7 +797,8 @@
 {
     long apos = ftell(g_fin);
     uint32_t atomsize;
-    int err;
+    creator_t *old_atom = g_atom;
+    int err, ret = sizemax;
 
     static creator_t mvhd[] = {
         {ATOM_NAME, "mvhd"},
@@ -841,8 +842,11 @@
 
     g_atom = mvhd;
     atomsize = sizemax + apos - ftell(g_fin);
-    if (parse(&atomsize) < 0)
+    if (parse(&atomsize) < 0) {
+        g_atom = old_atom;
         return ERR_FAIL;
+    }
+
     fseek(g_fin, apos, SEEK_SET);
 
     while (1)
@@ -856,13 +860,16 @@
         err = parse(&atomsize);
         //fprintf(stderr, "SIZE: %x/%x\n", atomsize, sizemax);
         if (err >= 0)
-            return sizemax;
-        if (err != ERR_UNSUPPORTED)
-            return err;
+            break;
+        if (err != ERR_UNSUPPORTED) {
+            ret = err;
+            break;
+        }
         //fprintf(stderr, "UNSUPP\n");
     }
 
-    return sizemax;
+    g_atom = old_atom;
+    return ret;
 }
 
 
--- a/libfaad/sbr_fbt.c
+++ b/libfaad/sbr_fbt.c
@@ -526,6 +526,8 @@
     }
 
     sbr->M = sbr->f_table_res[HI_RES][sbr->N_high] - sbr->f_table_res[HI_RES][0];
+    if (sbr->M > MAX_M)
+        return 1;
     sbr->kx = sbr->f_table_res[HI_RES][0];
     if (sbr->kx > 32)
         return 1;
--- a/libfaad/sbr_syntax.c
+++ b/libfaad/sbr_syntax.c
@@ -196,7 +196,7 @@
             /* if an error occured with the new header values revert to the old ones */
             if (rt > 0)
             {
-                calc_sbr_tables(sbr, saved_start_freq, saved_stop_freq,
+                result += calc_sbr_tables(sbr, saved_start_freq, saved_stop_freq,
                     saved_samplerate_mode, saved_freq_scale,
                     saved_alter_scale, saved_xover_band);
             }
@@ -215,7 +215,7 @@
             if ((result > 0) &&
                 (sbr->Reset || (sbr->bs_header_flag && sbr->just_seeked)))
             {
-                calc_sbr_tables(sbr, saved_start_freq, saved_stop_freq,
+                result += calc_sbr_tables(sbr, saved_start_freq, saved_stop_freq,
                     saved_samplerate_mode, saved_freq_scale,
                     saved_alter_scale, saved_xover_band);          
             }