File Fix-a-couple-buffer-overflows.patch of Package faad2

File Fix-a-couple-buffer-overflows.patch of Package faad2 (Revision 23)

Currently displaying revision 23 , Show latest

From: =?utf-8?q?Hugo_Beauz=C3=A9e-Luyssen?= <hugo@beauzee.fr>
Date: Fri, 7 Jun 2019 20:02:57 +0200
Subject: Fix a couple buffer overflows

https://hackerone.com/reports/502816
https://hackerone.com/reports/507858
---
 libfaad/bits.c   | 5 ++++-
 libfaad/syntax.c | 2 ++
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/libfaad/bits.c b/libfaad/bits.c
index dc14d7a..4c0de24 100644
--- a/libfaad/bits.c
+++ b/libfaad/bits.c
@@ -167,7 +167,10 @@ void faad_resetbits(bitfile *ld, int bits)
     int words = bits >> 5;
     int remainder = bits & 0x1F;
 
-    ld->bytes_left = ld->buffer_size - words*4;
+    if (ld->buffer_size < words * 4)
+        ld->bytes_left = 0;
+    else
+        ld->bytes_left = ld->buffer_size - words*4;
 
     if (ld->bytes_left >= 4)
     {
diff --git a/libfaad/syntax.c b/libfaad/syntax.c
index e7fb113..c992543 100644
--- a/libfaad/syntax.c
+++ b/libfaad/syntax.c
@@ -2304,6 +2304,8 @@ static uint8_t excluded_channels(bitfile *ld, drc_info *drc)
     while ((drc->additional_excluded_chns[n-1] = faad_get1bit(ld
         DEBUGVAR(1,104,"excluded_channels(): additional_excluded_chns"))) == 1)
     {
+        if (i >= MAX_CHANNELS - num_excl_chan - 7)
+            return n;
         for (i = num_excl_chan; i < num_excl_chan+7; i++)
         {
             drc->exclude_mask[i] = faad_get1bit(ld

 
From: =?utf-8?q?Hugo_Beauz=C3=A9e-Luyssen?= <hugo@beauzee.fr>
Date: Fri, 7 Jun 2019 20:02:57 +0200
Subject: Fix a couple buffer overflows
​
https://hackerone.com/reports/502816
https://hackerone.com/reports/507858
---
 libfaad/bits.c   | 5 ++++-
 libfaad/syntax.c | 2 ++
 2 files changed, 6 insertions(+), 1 deletion(-)
​
diff --git a/libfaad/bits.c b/libfaad/bits.c
index dc14d7a..4c0de24 100644
--- a/libfaad/bits.c
+++ b/libfaad/bits.c
@@ -167,7 +167,10 @@ void faad_resetbits(bitfile *ld, int bits)
     int words = bits >> 5;
     int remainder = bits & 0x1F;
 
-    ld->bytes_left = ld->buffer_size - words*4;
+    if (ld->buffer_size < words * 4)
+        ld->bytes_left = 0;
+    else
+        ld->bytes_left = ld->buffer_size - words*4;
 
     if (ld->bytes_left >= 4)
     {
diff --git a/libfaad/syntax.c b/libfaad/syntax.c
index e7fb113..c992543 100644
--- a/libfaad/syntax.c
+++ b/libfaad/syntax.c
@@ -2304,6 +2304,8 @@ static uint8_t excluded_channels(bitfile *ld, drc_info *drc)
     while ((drc->additional_excluded_chns[n-1] = faad_get1bit(ld
         DEBUGVAR(1,104,"excluded_channels(): additional_excluded_chns"))) == 1)
     {
+        if (i >= MAX_CHANNELS - num_excl_chan - 7)
+            return n;
         for (i = num_excl_chan; i < num_excl_chan+7; i++)
         {
             drc->exclude_mask[i] = faad_get1bit(ld
​