Merge pull request #36 from hlef/master

mp4read/sbr_fbt: security bug fixes
knik0 · Aug 19, 2019 · 19b81b0 · 19b81b0
2 parents 920ec98 + 6aeeaa1
commit 19b81b0
Show file tree

Hide file tree

Showing 4 changed files with 23 additions and 9 deletions.
diff --git a/frontend/main.c b/frontend/main.c
@@ -915,6 +915,11 @@ static int decodeMP4file(char *mp4file, char *sndfile, char *adts_fn, int to_std
 
         sample_buffer = NeAACDecDecode(hDecoder, &frameInfo, mp4config.bitbuf.data, mp4config.bitbuf.size);
 
+        if (!sample_buffer) {
+            /* unable to decode file, abort */
+            break;
+        }
+
         if (adts_out == 1)
         {
             adtsData = MakeAdtsHeader(&adtsDataSize, &frameInfo, 0);
@@ -1365,4 +1370,4 @@ int main(int argc, char *argv[])
 #else
     return faad_main(argc, argv);
 #endif
-}
+}
diff --git a/frontend/mp4read.c b/frontend/mp4read.c
@@ -797,7 +797,8 @@ static int moovin(int sizemax)
 {
     long apos = ftell(g_fin);
     uint32_t atomsize;
-    int err;
+    creator_t *old_atom = g_atom;
+    int err, ret = sizemax;
 
     static creator_t mvhd[] = {
         {ATOM_NAME, "mvhd"},
@@ -841,8 +842,11 @@ static int moovin(int sizemax)
 
     g_atom = mvhd;
     atomsize = sizemax + apos - ftell(g_fin);
-    if (parse(&atomsize) < 0)
+    if (parse(&atomsize) < 0) {
+        g_atom = old_atom;
         return ERR_FAIL;
+    }
+
     fseek(g_fin, apos, SEEK_SET);
 
     while (1)
@@ -856,13 +860,16 @@ static int moovin(int sizemax)
         err = parse(&atomsize);
         //fprintf(stderr, "SIZE: %x/%x\n", atomsize, sizemax);
         if (err >= 0)
-            return sizemax;
-        if (err != ERR_UNSUPPORTED)
-            return err;
+            break;
+        if (err != ERR_UNSUPPORTED) {
+            ret = err;
+            break;
+        }
         //fprintf(stderr, "UNSUPP\n");
     }
 
-    return sizemax;
+    g_atom = old_atom;
+    return ret;
 }
 
 

diff --git a/libfaad/sbr_fbt.c b/libfaad/sbr_fbt.c
@@ -526,6 +526,8 @@ uint8_t derived_frequency_table(sbr_info *sbr, uint8_t bs_xover_band,
     }
 
     sbr->M = sbr->f_table_res[HI_RES][sbr->N_high] - sbr->f_table_res[HI_RES][0];
+    if (sbr->M > MAX_M)
+        return 1;
     sbr->kx = sbr->f_table_res[HI_RES][0];
     if (sbr->kx > 32)
         return 1;

diff --git a/libfaad/sbr_syntax.c b/libfaad/sbr_syntax.c
@@ -196,7 +196,7 @@ uint8_t sbr_extension_data(bitfile *ld, sbr_info *sbr, uint16_t cnt,
             /* if an error occured with the new header values revert to the old ones */
             if (rt > 0)
             {
-                calc_sbr_tables(sbr, saved_start_freq, saved_stop_freq,
+                result += calc_sbr_tables(sbr, saved_start_freq, saved_stop_freq,
                     saved_samplerate_mode, saved_freq_scale,
                     saved_alter_scale, saved_xover_band);
             }
@@ -215,7 +215,7 @@ uint8_t sbr_extension_data(bitfile *ld, sbr_info *sbr, uint16_t cnt,
             if ((result > 0) &&
                 (sbr->Reset || (sbr->bs_header_flag && sbr->just_seeked)))
             {
-                calc_sbr_tables(sbr, saved_start_freq, saved_stop_freq,
+                result += calc_sbr_tables(sbr, saved_start_freq, saved_stop_freq,
                     saved_samplerate_mode, saved_freq_scale,
                     saved_alter_scale, saved_xover_band);          
             }