ref: b7883ae1398499daaa926ae6621f088f0f531ed8
parent: f8587e2d50dad72d40453ac1191c539ee9e50381
author: Mans Rullgard <mans@mansr.com>
date: Wed Apr 24 12:56:42 EDT 2019
fft4g: bail if size too large (CVE-2019-8356) Prevent overflowing of fixed-size buffers in bitrv2() and bitrv2conj() if the transform size is too large.
--- a/src/fft4g.c
+++ b/src/fft4g.c
@@ -322,6 +322,9 @@
void cdft(int n, int isgn, double *a, int *ip, double *w)
{+ if (n > FFT4G_MAX_SIZE)
+ return;
+
if (n > (ip[0] << 2)) {makewt(n >> 2, ip, w);
}
@@ -344,6 +347,9 @@
int nw, nc;
double xi;
+ if (n > FFT4G_MAX_SIZE)
+ return;
+
nw = ip[0];
if (n > (nw << 2)) {nw = n >> 2;
@@ -384,6 +390,9 @@
int j, nw, nc;
double xr;
+ if (n > FFT4G_MAX_SIZE)
+ return;
+
nw = ip[0];
if (n > (nw << 2)) {nw = n >> 2;
@@ -435,6 +444,9 @@
int j, nw, nc;
double xr;
+ if (n > FFT4G_MAX_SIZE)
+ return;
+
nw = ip[0];
if (n > (nw << 2)) {nw = n >> 2;
@@ -486,6 +498,9 @@
int j, k, l, m, mh, nw, nc;
double xr, xi, yr, yi;
+ if (n > FFT4G_MAX_SIZE)
+ return;
+
nw = ip[0];
if (n > (nw << 3)) {nw = n >> 3;
@@ -576,6 +591,9 @@
int j, k, l, m, mh, nw, nc;
double xr, xi, yr, yi;
+ if (n > FFT4G_MAX_SIZE)
+ return;
+
nw = ip[0];
if (n > (nw << 3)) {nw = n >> 3;
--- a/src/fft4g.h
+++ b/src/fft4g.h
@@ -13,6 +13,8 @@
* Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
*/
+#define FFT4G_MAX_SIZE 262144
+
void lsx_cdft(int, int, double *, int *, double *);
void lsx_rdft(int, int, double *, int *, double *);
void lsx_ddct(int, int, double *, int *, double *);