[vlc-commits] faad: Fix potential stack buffer overflow

Hugo Beauzée-Luyssen git at videolan.org
Thu May 23 17:21:02 CEST 2019


vlc | branch: master | Hugo Beauzée-Luyssen <hugo at beauzee.fr> | Tue Mar  5 15:55:29 2019 +0100| [f256bf045c2b1f7395f61b2039a67f18aee66673] | committer: Hugo Beauzée-Luyssen

faad: Fix potential stack buffer overflow

DoReordering is bound by frame.channels, but the source array was bound
by AOUT_MAX_CHAN
https://hackerone.com/reports/503208

> http://git.videolan.org/gitweb.cgi/vlc.git/?a=commit;h=f256bf045c2b1f7395f61b2039a67f18aee66673
---

 modules/codec/faad.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/modules/codec/faad.c b/modules/codec/faad.c
index ce537c8446..55dfa38e41 100644
--- a/modules/codec/faad.c
+++ b/modules/codec/faad.c
@@ -514,13 +514,13 @@ static int DecodeBlock( decoder_t *p_dec, block_t *p_block )
         /* Convert frame.channel_position to our own channel values */
         p_dec->fmt_out.audio.i_physical_channels = 0;
 
-        uint8_t  pi_neworder_table[AOUT_CHAN_MAX];
-        uint32_t pi_faad_channels_positions[FAAD_CHANNEL_ID_COUNT + 1] = {0};
+        uint8_t  pi_neworder_table[64] = {0};
+        uint32_t pi_faad_channels_positions[64 + 1] = {0};
 
         bool b_reorder = false;
         if (p_dec->fmt_out.audio.channel_type == AUDIO_CHANNEL_TYPE_BITMAP)
         {
-            for( size_t i = 0; i < frame.channels && i < FAAD_CHANNEL_ID_COUNT; i++ )
+            for( size_t i = 0; i < frame.channels; i++ )
             {
                 unsigned pos = frame.channel_position[i];
                 if( likely(pos < FAAD_CHANNEL_ID_COUNT) )



More information about the vlc-commits mailing list