mirrors/meta-openembedded
1
0
Fork 0
mirror of https://github.com/openembedded/meta-openembedded.git synced 2026-06-14 05:49:57 +00:00
Code Issues Projects Releases Wiki Activity

faad2: patch CVE-2021-32274 and CVE-2021-32277

Browse Source 
Details: https://nvd.nist.gov/vuln/detail/CVE-2021-32274
https://nvd.nist.gov/vuln/detail/CVE-2021-32277

Pick the patch that resolved the issues linked in the nvd reports
(same patch fixes both vulnerabilities).

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>

merge to CVE-2021-32274
This commit is contained in:
Gyorgy Sarvari
2025-10-16 11:29:16 +02:00
parent e06fe48896
commit d301a4324b
2 changed files with 88 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
meta-oe/recipes-multimedia/faad2/faad2/0001-Restrict-SBR-frame-length-to-960-and-1024-samples.patch
+87
View File
@@ -0,0 +1,87 @@
From 9f7515c9571d5c72f6ec2dd6199650093628730b Mon Sep 17 00:00:00 2001
From: Andrew Wesie <awesie@gmail.com>
Date: Mon, 5 Oct 2020 05:47:59 -0500
Subject: [PATCH] Restrict SBR frame length to 960 and 1024 samples.
Fixes #59 and #60.
CVE: CVE-2021-32274 CVE-2021-32277
Upstream-Status: Backport [https://github.com/knik0/faad2/commit/c78251b2b5d41ea840fd61ab9502b3d3036bd747]
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
---
libfaad/sbr_dec.c | 9 ++++++++-
libfaad/specrec.c | 4 ++++
libfaad/syntax.c | 7 +++++++
3 files changed, 19 insertions(+), 1 deletion(-)
diff --git a/libfaad/sbr_dec.c b/libfaad/sbr_dec.c
index 0705ddd..1a541ef 100644
--- a/libfaad/sbr_dec.c
+++ b/libfaad/sbr_dec.c
@@ -97,10 +97,17 @@ sbr_info *sbrDecodeInit(uint16_t framelength, uint8_t id_aac,
{
sbr->numTimeSlotsRate = RATE * NO_TIME_SLOTS_960;
sbr->numTimeSlots = NO_TIME_SLOTS_960;
- } else {
+ }
+ else if (framelength == 1024)
+ {
sbr->numTimeSlotsRate = RATE * NO_TIME_SLOTS;
sbr->numTimeSlots = NO_TIME_SLOTS;
}
+ else
+ {
+ faad_free(sbr);
+ return NULL;
+ }
sbr->GQ_ringbuf_index[0] = 0;
sbr->GQ_ringbuf_index[1] = 0;
diff --git a/libfaad/specrec.c b/libfaad/specrec.c
index 9797d6e..d539bbe 100644
--- a/libfaad/specrec.c
+++ b/libfaad/specrec.c
@@ -1053,6 +1053,8 @@ uint8_t reconstruct_single_channel(NeAACDecStruct *hDecoder, ic_stream *ics,
#endif
);
}
+ if (!hDecoder->sbr[ele])
+ return 19;
if (sce->ics1.window_sequence == EIGHT_SHORT_SEQUENCE)
hDecoder->sbr[ele]->maxAACLine = 8*min(sce->ics1.swb_offset[max(sce->ics1.max_sfb-1, 0)], sce->ics1.swb_offset_max);
@@ -1305,6 +1307,8 @@ uint8_t reconstruct_channel_pair(NeAACDecStruct *hDecoder, ic_stream *ics1, ic_s
#endif
);
}
+ if (!hDecoder->sbr[ele])
+ return 19;
if (cpe->ics1.window_sequence == EIGHT_SHORT_SEQUENCE)
hDecoder->sbr[ele]->maxAACLine = 8*min(cpe->ics1.swb_offset[max(cpe->ics1.max_sfb-1, 0)], cpe->ics1.swb_offset_max);
diff --git a/libfaad/syntax.c b/libfaad/syntax.c
index f8e808c..462ba9e 100644
--- a/libfaad/syntax.c
+++ b/libfaad/syntax.c
@@ -1079,6 +1079,8 @@ static uint8_t fill_element(NeAACDecStruct *hDecoder, bitfile *ld, drc_info *drc
#endif
);
}
+ if (!hDecoder->sbr[sbr_ele])
+ return 19;
hDecoder->sbr_present_flag = 1;
@@ -1348,6 +1350,11 @@ void DRM_aac_scalable_main_element(NeAACDecStruct *hDecoder, NeAACDecFrameInfo *
hDecoder->sbr[0] = sbrDecodeInit(hDecoder->frameLength, hDecoder->element_id[0],
2*get_sample_rate(hDecoder->sf_index), 0 /* ds SBR */, 1);
}
+ if (!hDecoder->sbr[0])
+ {
+ hInfo->error = 19;
+ return;
+ }
/* Reverse bit reading of SBR data in DRM audio frame */
revbuffer = (uint8_t*)faad_malloc(buffer_size*sizeof(uint8_t));
meta-oe/recipes-multimedia/faad2/faad2_2.8.8.bb
+1
View File
@@ -10,6 +10,7 @@ LICENSE_FLAGS = "commercial"
SRC_URI = "${SOURCEFORGE_MIRROR}/faac/faad2-src/faad2-2.8.0/${BP}.tar.gz \
file://0001-fix-heap-buffer-overflow-in-mp4read.c.patch \
file://0001-mp4read.c-fix-stack-buffer-overflow-in-stringin-ftyp.patch \
file://0001-Restrict-SBR-frame-length-to-960-and-1024-samples.patch \
"
SRC_URI[md5sum] = "28f6116efdbe9378269f8a6221767d1f"
SRC_URI[sha256sum] = "985c3fadb9789d2815e50f4ff714511c79c2710ac27a4aaaf5c0c2662141426d"