Merge pull request #166 from npt-1707/fix-CVE-2019-15296

DyncEric · web-flow · commit 18e5314a5273 · 2025-04-22T08:48:39.000+08:00
Fix a couple buffer overflows
diff --git a/third_party/faad2-2.7/libfaad/bits.c b/third_party/faad2-2.7/libfaad/bits.c
@@ -167,7 +167,10 @@ void faad_resetbits(bitfile *ld, int bits)
     int words = bits >> 5;
     int remainder = bits & 0x1F;
 
-    ld->bytes_left = ld->buffer_size - words*4;
+    if (ld->buffer_size < words * 4)
+        ld->bytes_left = 0;
+    else
+        ld->bytes_left = ld->buffer_size - words*4;
 
     if (ld->bytes_left >= 4)
     {
diff --git a/third_party/faad2-2.7/libfaad/syntax.c b/third_party/faad2-2.7/libfaad/syntax.c
@@ -2167,11 +2167,11 @@ static uint16_t extension_payload(bitfile *ld, drc_info *drc, uint16_t count)
         return n;
     case EXT_FILL_DATA:
         /* fill_nibble = */ faad_getbits(ld, 4
-            DEBUGVAR(1,136,"extension_payload(): fill_nibble")); /* must be �0000� */
+            DEBUGVAR(1,136,"extension_payload(): fill_nibble")); /* must be �0000� */
         for (i = 0; i < count-1; i++)
         {
             /* fill_byte[i] = */ faad_getbits(ld, 8
-                DEBUGVAR(1,88,"extension_payload(): fill_byte")); /* must be �10100101� */
+                DEBUGVAR(1,88,"extension_payload(): fill_byte")); /* must be �10100101� */
         }
         return count;
     case EXT_DATA_ELEMENT:
@@ -2292,6 +2292,8 @@ static uint8_t excluded_channels(bitfile *ld, drc_info *drc)
     while ((drc->additional_excluded_chns[n-1] = faad_get1bit(ld
         DEBUGVAR(1,104,"excluded_channels(): additional_excluded_chns"))) == 1)
     {
+        if (i >= MAX_CHANNELS - num_excl_chan - 7)
+            return n;
         for (i = num_excl_chan; i < num_excl_chan+7; i++)
         {
             drc->exclude_mask[i] = faad_get1bit(ld

Original file line number	Diff line number	Diff line change
`@@ -2167,11 +2167,11 @@ static uint16_t extension_payload(bitfile ld, drc_info drc, uint16_t count)`
`2167`	`2167`	`return n;`
`2168`	`2168`	`case EXT_FILL_DATA:`
`2169`	`2169`	`/* fill_nibble = */ faad_getbits(ld, 4`
`2170`		`- DEBUGVAR(1,136,"extension_payload(): fill_nibble")); /* must be 0000 */`
	`2170`	`+ DEBUGVAR(1,136,"extension_payload(): fill_nibble")); /* must be �0000� */`
`2171`	`2171`	`for (i = 0; i < count-1; i++)`
`2172`	`2172`	`{`
`2173`	`2173`	`/* fill_byte[i] = */ faad_getbits(ld, 8`
`2174`		`- DEBUGVAR(1,88,"extension_payload(): fill_byte")); /* must be 10100101 */`
	`2174`	`+ DEBUGVAR(1,88,"extension_payload(): fill_byte")); /* must be �10100101� */`
`2175`	`2175`	`}`
`2176`	`2176`	`return count;`
`2177`	`2177`	`case EXT_DATA_ELEMENT:`
`@@ -2292,6 +2292,8 @@ static uint8_t excluded_channels(bitfile ld, drc_info drc)`
`2292`	`2292`	`while ((drc->additional_excluded_chns[n-1] = faad_get1bit(ld`
`2293`	`2293`	`DEBUGVAR(1,104,"excluded_channels(): additional_excluded_chns"))) == 1)`
`2294`	`2294`	`{`
	`2295`	`+ if (i >= MAX_CHANNELS - num_excl_chan - 7)`
	`2296`	`+ return n;`
`2295`	`2297`	`for (i = num_excl_chan; i < num_excl_chan+7; i++)`
`2296`	`2298`	`{`
`2297`	`2299`	`drc->exclude_mask[i] = faad_get1bit(ld`