[vlc-commits] faad: Fix potential stack buffer overflow

Hugo Beauzée-Luyssen git at videolan.org
Thu May 23 17:40:29 CEST 2019


vlc/vlc-3.0 | branch: master | Hugo Beauzée-Luyssen <hugo at beauzee.fr> | Tue Mar  5 15:55:29 2019 +0100| [a31ca516a02678579c312897e648c64135725867] | committer: Hugo Beauzée-Luyssen

faad: Fix potential stack buffer overflow

DoReordering is bound by frame.channels, but the source array was bound
by AOUT_MAX_CHAN

https://hackerone.com/reports/503208

(cherry picked from commit f256bf045c2b1f7395f61b2039a67f18aee66673)
Signed-off-by: Hugo Beauzée-Luyssen <hugo at beauzee.fr>

> http://git.videolan.org/gitweb.cgi/vlc/vlc-3.0.git/?a=commit;h=a31ca516a02678579c312897e648c64135725867
---

 modules/codec/faad.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/modules/codec/faad.c b/modules/codec/faad.c
index 2a956aa753..dae312b147 100644
--- a/modules/codec/faad.c
+++ b/modules/codec/faad.c
@@ -513,13 +513,13 @@ static int DecodeBlock( decoder_t *p_dec, block_t *p_block )
         /* Convert frame.channel_position to our own channel values */
         p_dec->fmt_out.audio.i_physical_channels = 0;
 
-        uint8_t  pi_neworder_table[AOUT_CHAN_MAX];
-        uint32_t pi_faad_channels_positions[FAAD_CHANNEL_ID_COUNT + 1] = {0};
+        uint8_t  pi_neworder_table[64] = {0};
+        uint32_t pi_faad_channels_positions[64 + 1] = {0};
 
         bool b_reorder = false;
         if (p_dec->fmt_out.audio.channel_type == AUDIO_CHANNEL_TYPE_BITMAP)
         {
-            for( size_t i = 0; i < frame.channels && i < FAAD_CHANNEL_ID_COUNT; i++ )
+            for( size_t i = 0; i < frame.channels; i++ )
             {
                 unsigned pos = frame.channel_position[i];
                 if( likely(pos < FAAD_CHANNEL_ID_COUNT) )



More information about the vlc-commits mailing list