Skip to content

Commit

Permalink
specrec: better handle unexpected PS
Browse files Browse the repository at this point in the history
Parametric Stereo (PS) can arrive at any moment in input files. PS
changes the number of output channels and therefore requires more
allocated memory in various structures from hDecoder.

The current faad2 code attempts to perform allocation surgery in
hDecoder to recover from this. This works well when there is only one
frame channel, else it creates large number of memory corruption
issues.

If there is more than one input channel, return cleanly with error
code. It would be nice to handle this, but this is likely to be a lot
of work and is beyond the scope of a security fix.

This commit addresses CVE-2018-20360 and CVE-2018-20199 (fixes knik0#32,
fixes knik0#24).
  • Loading branch information
hlef committed Aug 19, 2019
1 parent 19b81b0 commit 3b80a57
Showing 1 changed file with 9 additions and 9 deletions.
18 changes: 9 additions & 9 deletions libfaad/specrec.c
Original file line number Diff line number Diff line change
Expand Up @@ -915,18 +915,18 @@ uint8_t reconstruct_single_channel(NeAACDecStruct *hDecoder, ic_stream *ics,
/* element_output_channels not set yet */
hDecoder->element_output_channels[hDecoder->fr_ch_ele] = output_channels;
} else if (hDecoder->element_output_channels[hDecoder->fr_ch_ele] != output_channels) {
/* element inconsistency */

/* this only happens if PS is actually found but not in the first frame
/* element inconsistency
* this only happens if PS is actually found but not in the first frame
* this means that there is only 1 bitstream element!
*/

/* reset the allocation */
hDecoder->element_alloced[hDecoder->fr_ch_ele] = 0;

hDecoder->element_output_channels[hDecoder->fr_ch_ele] = output_channels;

//return 21;
if (hDecoder->fr_channels == 1) {
/* reset the allocation */
hDecoder->element_alloced[hDecoder->fr_ch_ele] = 0;
hDecoder->element_output_channels[hDecoder->fr_ch_ele] = output_channels;
} else {
return 21;
}
}

if (hDecoder->element_alloced[hDecoder->fr_ch_ele] == 0)
Expand Down

0 comments on commit 3b80a57

Please sign in to comment.