Null pointer dereference vulnerability in sbr_process_channel(libfaad/sbr_dec.c:413)

[fantasy7082]

Hi, i found a null pointer dereference bug in Freeware Advanced Audio Decoder 2 (FAAD2) 2.8.8. It crashed in function sbr_process_channel.the details are below(ASAN):

./faad faad_res/014-null-point-sbr_dec_413 -o out.wav
 *********** Ahead Software MPEG-4 AAC Decoder V2.8.8 ******************

 Build: Dec 13 2018
 Copyright 2002-2004: Ahead Software AG
 http://www.audiocoding.com
 bug tracking: https://sourceforge.net/p/faac/bugs/
 Floating point version

 This program is free software; you can redistribute it and/or modify
 it under the terms of the GNU General Public License.

 **************************************************************************

faad_res/014-null-point-sbr_dec_413 file info:
ADTS, 0.469 sec, 41 kbps, 48000 Hz

  ---------------------
 | Config:  2 Ch       |
  ---------------------
 | Ch |    Position    |
  ---------------------
 | 00 | Left front     |
 | 01 | Right front    |
  ---------------------

ASAN:SIGSEGVfaad_res/014-null-point-sbr_dec_413.
=================================================================
==7082==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f1bfe18af07 bp 0x7ffcee38c300 sp 0x7ffcee38c2c0 T0)
    #0 0x7f1bfe18af06 in sbr_process_channel /root/faad2_asan/libfaad/sbr_dec.c:413
    #1 0x7f1bfe18c7fa in sbrDecodeSingleFramePS /root/faad2_asan/libfaad/sbr_dec.c:637
    #2 0x7f1bfe134b54 in reconstruct_single_channel /root/faad2_asan/libfaad/specrec.c:1071
    #3 0x7f1bfe13ce28 in single_lfe_channel_element /root/faad2_asan/libfaad/syntax.c:631
    #4 0x7f1bfe13b354 in decode_sce_lfe /root/faad2_asan/libfaad/syntax.c:351
    #5 0x7f1bfe13c2da in raw_data_block /root/faad2_asan/libfaad/syntax.c:441
    #6 0x7f1bfe0f69c3 in aac_frame_decode /root/faad2_asan/libfaad/decoder.c:990
    #7 0x7f1bfe0f6566 in NeAACDecDecode /root/faad2_asan/libfaad/decoder.c:821
    #8 0x40f8ae in decodeAACfile /root/faad2_asan/frontend/main.c:679
    #9 0x411dd4 in faad_main /root/faad2_asan/frontend/main.c:1323
    #10 0x411fe5 in main /root/faad2_asan/frontend/main.c:1366
    #11 0x7f1bfdd2e82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #12 0x401aa8 in _start (/usr/local/faad-asan/bin/faad+0x401aa8)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /root/faad2_asan/libfaad/sbr_dec.c:413 sbr_process_channel
==7082==ABORTING

POC FILE: https://github.com/fantasy7082/image_test/blob/master/014-null-point-sbr_dec_413

[hlef]

This issue was assigned CVE-2018-20357.

Appears to have been fixed by 6b4a7cd, needs to be double checked.

[fabiangreffrath]

@hlef Please feel free to close any issues that you consider already fixed in the current source code.

[hlef]

@hlef Please feel free to close any issues that you consider already fixed in the current source code.

I don't have permissions to close bug reports here :)

[fabiangreffrath]

I don't have permissions to close bug reports here :)

Oops, I'll close whatever you mark as fixed then. 😉

[fabiangreffrath]

Hm, so can this get closed?

[fabiangreffrath]

@hlef Hm?

[hlef]

I can confirm that this is the same underlying issue as #21, different path. Fixed in 6b4a7cd

This can be closed!

[fabiangreffrath]

And it's closed.