-
Notifications
You must be signed in to change notification settings - Fork 79
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Null pointer dereference vulnerability in ifilter_bank (libfaad/filtbank.c:275) #26
Comments
I had a look at this issue. This crash appears to happen with all files defining SCE (single channel) frames followed (directly or not) by CPE (stereo) frames. Rationale: The decoder struct contains a mem_alloced array used to keep track of allocated resources. This array is used to avoid allocating and freeing memory for each single frame. Instead, buffers are allocated when they are first needed for a frame, and the mem_alloced flag corresponding to these buffers is set. Following frames just check for the mem_alloced flag, allowing them to skip the allocation part and use the buffers directly. Problem: some buffers like hDecoder->fb_intermed are initalized differently depending on whether the frame is mono or stereo. The result is that reconstruct_channel_pair checks whether the buffer as been initialized, which returns true because reconstruct_single_channel initialized it before, but in fact it is only 'half' initialized because only buffers for the first channel have been allocated, they are still 0x0 for the second channel. This is a design issue. Possible fix:
I'll PR the last suggestion for now. FTR: this issue was assigned CVE-2018-20362. |
The faad2 code base appears to assume that all frames of a same AAC file share the same syntax element structure. However, input files are not strictly verified again this assumption, or too late during file processing. This leads to security vulnerabilities when processing crafted AAC files where these assumptions are false. For example, files declaring two frames, the first SCE+FIL and the second CPE. Add checks to decode_sce_lfe and decode_cpe to make sure inter-frame inconsistencies are detected as early as possible. These checks first read hDecoder->frame: if this is not the first frame then we make sure that the syntax element at the same position in the previous frame also had element_id id_syn_ele. If not, return 21 as this is a fatal file structure issue. This patch addresses CVE-2018-20362 (fixes knik0#26) and possibly other related issues.
Implicit channel mapping reconfiguration is explicitely forbidden by ISO/IEC 13818-7:2006 (8.5.3.3). Decoders should be able to detect such files and reject them. FAAD2 does not perform any kind of checks regarding this. This leads to security vulnerabilities when processing crafted AAC files performing such reconfigurations. Add checks to decode_sce_lfe and decode_cpe to make sure such inconsistencies are detected as early as possible. These checks first read hDecoder->frame: if this is not the first frame then we make sure that the syntax element at the same position in the previous frame also had element_id id_syn_ele. If not, return 21 as this is a fatal file structure issue. This patch addresses CVE-2018-20362 (fixes knik0#26) and possibly other related issues.
Hi, i found a null pointer dereference bug in Freeware Advanced Audio Decoder 2 (FAAD2) 2.8.8. It crashed in function ifilter_bank.the details are below(ASAN):
POC FILE:https://github.com/fantasy7082/image_test/blob/master/008-null-point-filtbank_275
The text was updated successfully, but these errors were encountered: