sbr->M is set by derived_frequency_table() from user-passed input
without checking for > MAX_M.
This leads to out-of-bounds accesses later, crashes and potential
security relevant issues. It should be considered a fatal error for
the SBR block.
return error code if sbr->M > MAX_M.
also, in some cases sbr_extension_data() ignores the return value of
calc_sbr_tables, probably assuming that sbr is always valid. It should
almost certainly not do that.
fixesknik0#19 (CVE-2018-20196).
hlef
added a commit
to hlef/faad2
that referenced
this issue
Aug 10, 2019
sbr->M is set by derived_frequency_table() from user-passed input
without checking for > MAX_M.
This leads to out-of-bounds accesses later, crashes and potential
security relevant issues. It should be considered a fatal error for
the SBR block.
return error code if sbr->M > MAX_M.
also, in some cases sbr_extension_data() ignores the return value of
calc_sbr_tables, probably assuming that sbr is always valid. It should
almost certainly not do that.
fixesknik0#19 (CVE-2018-20196).
Hi, i found a stack-buffer-overflow bug in Freeware Advanced Audio Decoder 2 (FAAD2) 2.8.8, the details are below(ASAN):
POC FILE:https://github.com/fantasy7082/image_test/blob/master/013-stack-buffer-overflow-sbr_hfadj_1287
The text was updated successfully, but these errors were encountered: