[vlc-commits] contrib: faad2: Fix a couple buffer overflows

[Hugo Beauzée-Luyssen]

vlc | branch: master | Hugo Beauzée-Luyssen <hugo at beauzee.fr> | Tue Mar 26 10:23:22 2019 +0100| [16d40d9f8a57b6bdd01b8ee0ecf5147547d5953c] | committer: Hugo Beauzée-Luyssen

contrib: faad2: Fix a couple buffer overflows

https://hackerone.com/reports/502816
https://hackerone.com/reports/507858

> http://git.videolan.org/gitweb.cgi/vlc.git/?a=commit;h=16d40d9f8a57b6bdd01b8ee0ecf5147547d5953c
---

 contrib/src/faad2/faad2-fix-overflows.patch | 25 +++++++++++++++++++++++++
 contrib/src/faad2/rules.mak                 |  1 +
 2 files changed, 26 insertions(+)

diff --git a/contrib/src/faad2/faad2-fix-overflows.patch b/contrib/src/faad2/faad2-fix-overflows.patch
new file mode 100644
index 0000000000..5a198f8d8f
--- /dev/null
+++ b/contrib/src/faad2/faad2-fix-overflows.patch
@@ -0,0 +1,25 @@
+--- faad2/libfaad/bits.c	2007-11-01 13:33:29.000000000 +0100
++++ faad2.new/libfaad/bits.c	2019-03-25 17:29:26.134199188 +0100
+@@ -167,7 +167,10 @@
+     int words = bits >> 5;
+     int remainder = bits & 0x1F;
+ 
+-    ld->bytes_left = ld->buffer_size - words*4;
++    if (ld->buffer_size < words * 4)
++        ld->bytes_left = 0;
++    else
++        ld->bytes_left = ld->buffer_size - words*4;
+ 
+     if (ld->bytes_left >= 4)
+     {
+--- faad2/libfaad/syntax.c	2019-03-25 17:57:36.930937066 +0100
++++ faad2.new/libfaad/syntax.c	2019-03-25 17:49:26.135368525 +0100
+@@ -2292,6 +2292,8 @@
+     while ((drc->additional_excluded_chns[n-1] = faad_get1bit(ld
+         DEBUGVAR(1,104,"excluded_channels(): additional_excluded_chns"))) == 1)
+     {
++        if (i >= MAX_CHANNELS - num_excl_chan - 7)
++            return n;
+         for (i = num_excl_chan; i < num_excl_chan+7; i++)
+         {
+             drc->exclude_mask[i] = faad_get1bit(ld
diff --git a/contrib/src/faad2/rules.mak b/contrib/src/faad2/rules.mak
index 7514b8c9a4..394cf94032 100644
--- a/contrib/src/faad2/rules.mak
+++ b/contrib/src/faad2/rules.mak
@@ -24,6 +24,7 @@ endif
 	$(APPLY) $(SRC)/faad2/faad2-fix-71wPCEmapping.patch
 	$(APPLY) $(SRC)/faad2/faad2-fix-cpe-reconstruction.patch
 	$(APPLY) $(SRC)/faad2/faad2-add-define.patch
+	$(APPLY) $(SRC)/faad2/faad2-fix-overflows.patch
 	cd $(UNPACK_DIR) && $(CC) -iquote . -E - </dev/null || sed -i 's/-iquote /-I/' libfaad/Makefile.am
 	$(MOVE)