ref: 3b80a57483a6bc822d3ce3cc640fa81737a87c54
parent: 19b81b0cb9c82430a01c4806543a580d3b656dd0
author: Hugo Lefeuvre <hle@debian.org>
date: Mon Aug 19 13:24:55 EDT 2019
specrec: better handle unexpected PS Parametric Stereo (PS) can arrive at any moment in input files. PS changes the number of output channels and therefore requires more allocated memory in various structures from hDecoder. The current faad2 code attempts to perform allocation surgery in hDecoder to recover from this. This works well when there is only one frame channel, else it creates large number of memory corruption issues. If there is more than one input channel, return cleanly with error code. It would be nice to handle this, but this is likely to be a lot of work and is beyond the scope of a security fix. This commit addresses CVE-2018-20360 and CVE-2018-20199 (fixes #32, fixes #24).
--- a/libfaad/specrec.c
+++ b/libfaad/specrec.c
@@ -915,18 +915,18 @@
/* element_output_channels not set yet */
hDecoder->element_output_channels[hDecoder->fr_ch_ele] = output_channels;
} else if (hDecoder->element_output_channels[hDecoder->fr_ch_ele] != output_channels) {- /* element inconsistency */
-
- /* this only happens if PS is actually found but not in the first frame
+ /* element inconsistency
+ * this only happens if PS is actually found but not in the first frame
* this means that there is only 1 bitstream element!
*/
- /* reset the allocation */
- hDecoder->element_alloced[hDecoder->fr_ch_ele] = 0;
-
- hDecoder->element_output_channels[hDecoder->fr_ch_ele] = output_channels;
-
- //return 21;
+ if (hDecoder->fr_channels == 1) {+ /* reset the allocation */
+ hDecoder->element_alloced[hDecoder->fr_ch_ele] = 0;
+ hDecoder->element_output_channels[hDecoder->fr_ch_ele] = output_channels;
+ } else {+ return 21;
+ }
}
if (hDecoder->element_alloced[hDecoder->fr_ch_ele] == 0)