sbr_hfadj: sanitize frequency band borders

user passed f_table_lim contains frequency band borders. Frequency
bands are groups of consecutive QMF channels. This means that their
bounds, as provided by f_table_lim, should never exceed MAX_M (maximum
number of QMF channels). c.f. ISO/IEC 14496-3:2001

FAAD2 does not verify this, leading to security issues when
processing files defining f_table_lim with values > MAX_M.

This patch sanitizes the values of f_table_lim so that they can be safely
used as index for Q_M_lim and G_lim arrays.

Fixes #21 (CVE-2018-20194).

libfaad/sbr_hfadj.c

@@ -485,6 +485,12 @@ static void calculate_gain(sbr_info *sbr, sbr_hfadj_info *adj, uint8_t ch)
             ml1 = sbr->f_table_lim[sbr->bs_limiter_bands][k];
             ml2 = sbr->f_table_lim[sbr->bs_limiter_bands][k+1];
 
+            if (ml1 > MAX_M)
+                ml1 = MAX_M;
+
+            if (ml2 > MAX_M)
+                ml2 = MAX_M;
+
 
             /* calculate the accumulated E_orig and E_curr over the limiter band */
             for (m = ml1; m < ml2; m++)
@@ -949,6 +955,12 @@ static void calculate_gain(sbr_info *sbr, sbr_hfadj_info *adj, uint8_t ch)
             ml1 = sbr->f_table_lim[sbr->bs_limiter_bands][k];
             ml2 = sbr->f_table_lim[sbr->bs_limiter_bands][k+1];
 
+            if (ml1 > MAX_M)
+                ml1 = MAX_M;
+
+            if (ml2 > MAX_M)
+                ml2 = MAX_M;
+
 
             /* calculate the accumulated E_orig and E_curr over the limiter band */
             for (m = ml1; m < ml2; m++)
@@ -1193,6 +1205,12 @@ static void calculate_gain(sbr_info *sbr, sbr_hfadj_info *adj, uint8_t ch)
             ml1 = sbr->f_table_lim[sbr->bs_limiter_bands][k];
             ml2 = sbr->f_table_lim[sbr->bs_limiter_bands][k+1];
 
+            if (ml1 > MAX_M)
+                ml1 = MAX_M;
+
+            if (ml2 > MAX_M)
+                ml2 = MAX_M;
+
 
             /* calculate the accumulated E_orig and E_curr over the limiter band */
             for (m = ml1; m < ml2; m++)