The crash happens when accessing Q_M_lim and G_lim arrays at position m > MAX_M.
G_lim contains the limiter to the gain for each QMF channel. The G_lim array has therefore MAX_M elements (= maximum number of QMF channels).
m is obtained from (user passed) f_table_lim, which contains frequency band borders. A frequency band is a group of consecutive QMF channels. Therefore m is a QMF channel number, meaning that the maximum value of m is also MAX_M.
There is no check for m > MAX_M. We should do it, it's user input. Detecting such invalid input and rejecting it should fix this issue.
I'll submit a PR soon.
edit: the algorithm and all variables are defined in ISO/IEC 14496-3:2001. You can find a copy of it here.
Hi, i found a stack-buffer-overflow bug in Freeware Advanced Audio Decoder 2 (FAAD2) 2.8.8, the details are below(ASAN):
POC FILE:https://github.com/fantasy7082/image_test/blob/master/015-stack-buffer-underflow-sbr_hfadj_1314
The text was updated successfully, but these errors were encountered: