ref: 912b2ee70e9087b2e2510db01b4d65806e7c9d78
parent: ac7e621dbb0775903b446947de71e5258e49ad27
author: François Cartegnie <fcartegnie@free.fr>
date: Mon May 4 17:49:26 EDT 2020
Unbreak PS audio (#51) This reverts commit 3b80a57483a6bc822d3ce3cc640fa81737a87c54.
--- a/libfaad/specrec.c
+++ b/libfaad/specrec.c
@@ -915,18 +915,18 @@
/* element_output_channels not set yet */
hDecoder->element_output_channels[hDecoder->fr_ch_ele] = output_channels;
} else if (hDecoder->element_output_channels[hDecoder->fr_ch_ele] != output_channels) {- /* element inconsistency
- * this only happens if PS is actually found but not in the first frame
+ /* element inconsistency */
+
+ /* this only happens if PS is actually found but not in the first frame
* this means that there is only 1 bitstream element!
*/
- if (hDecoder->fr_channels == 1) {- /* reset the allocation */
- hDecoder->element_alloced[hDecoder->fr_ch_ele] = 0;
- hDecoder->element_output_channels[hDecoder->fr_ch_ele] = output_channels;
- } else {- return 21;
- }
+ /* reset the allocation */
+ hDecoder->element_alloced[hDecoder->fr_ch_ele] = 0;
+
+ hDecoder->element_output_channels[hDecoder->fr_ch_ele] = output_channels;
+
+ //return 21;
}
if (hDecoder->element_alloced[hDecoder->fr_ch_ele] == 0)
@@ -938,6 +938,9 @@
hDecoder->element_alloced[hDecoder->fr_ch_ele] = 1;
}
+ /* sanity check, CVE-2018-20199, CVE-2018-20360 */
+ if(!hDecoder->time_out[sce->channel])
+ return 15;
/* dequantisation and scaling */
retval = quant_to_spec(hDecoder, ics, spec_data, spec_coef, hDecoder->frameLength);
@@ -1117,6 +1120,10 @@
hDecoder->element_alloced[hDecoder->fr_ch_ele] = 2;
}
+
+ /* sanity check, CVE-2018-20199, CVE-2018-20360 */
+ if(!hDecoder->time_out[cpe->channel])
+ return 15;
/* dequantisation and scaling */
retval = quant_to_spec(hDecoder, ics1, spec_data1, spec_coef1, hDecoder->frameLength);