From patchwork Thu Dec 20 00:00:22 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jacob Trimble X-Patchwork-Id: 11484 Return-Path: X-Original-To: patchwork@ffaux-bg.ffmpeg.org Delivered-To: patchwork@ffaux-bg.ffmpeg.org Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100]) by ffaux.localdomain (Postfix) with ESMTP id F397344C372 for ; Thu, 20 Dec 2018 02:00:53 +0200 (EET) Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 2C36F68AA04; Thu, 20 Dec 2018 02:00:54 +0200 (EET) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from mail-io1-f74.google.com (mail-io1-f74.google.com [209.85.166.74]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 58D3F68A54A for ; Thu, 20 Dec 2018 02:00:47 +0200 (EET) Received: by mail-io1-f74.google.com with SMTP id v8so20048571ioh.11 for ; Wed, 19 Dec 2018 16:00:49 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:message-id:mime-version:subject:from:to:cc; bh=iZYXCns2kaTBqsfN9HkFk6GNbuwp1YPow2YrQRCIpAc=; b=SgFEOVFDs/VQQkHj43wAM7+nJkK4zO3CR435HTZ3dBKJI1O9qWNaLYxsOulphYgKvU BHwco3z036/MW5G6dnceOCziaazg7VThaZp9I4EdKusYL5MZNXRhmwHqU6MDfk42Tr7/ syiXqUR8eN2LiZlQqzbnf2zs8zlOxoWFLmtTY03R1zV8FaCknoRwkrvm8TktmctT9H1k sl99e4iLfU7kWdJrELRZ2ms1/Z92fCsQ6AIRxCa9I8di3BaHozHdJuaZY26kKyXVMnt6 MhzgU7JozgvJLeaPcgvkw+WAGHVJXVytgTuXkiP5R+1NoI2WoZ6cyiTCt1mkN2eFrZbM SgRQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:message-id:mime-version:subject:from:to:cc; bh=iZYXCns2kaTBqsfN9HkFk6GNbuwp1YPow2YrQRCIpAc=; b=mYTt9+BztgkgeaFHl8r2jlGsLUAKc2ZHchTXnS11WiqjW9jOcfEF7MyFHBDoylIeLQ NsTklyVna1XjtHU5eFwUErhEUz3VfdknB+RMZ6cdf5xNY7qUZWx3XNpmgUbjA4nzZTgC MJYHkoH+mXpVbUcxkP/R8Z9H/M+Y/rtolOhe11X2rM3hmTIPETe5T6p3g/R2EKvNSNh3 w60zQcArGfGghjfefG72nDQ9NBMgB5Qo3JMjDRUqLOJAJF8hsJz5vrwahoVacFTS3/2a 64/qqhfUwA2lax5H6m0yhnV+mjNp3/U7K5xwuT6g69ACIJTqUG/zsmjH6F8dYWmt6OXX zO/Q== X-Gm-Message-State: AA+aEWZTj5bpTRar9c41K+VCNB3Z0PId3ljUpCbPIUe6V0ok1hlc60ig 4n+UuommERx+mKZq9nnK6+ohqA4CJr4ZkdKZ8A7tkzEUgJsyE0ieqs5RUMtLfos3M9z0OPTGxW+ AicaM2y7Ksoqw+AJ1k2rixpEIP9rykvHzSi5j/KOWKXvgSQjmVbt/JHA3m5EWCOmRRLvu X-Google-Smtp-Source: AFSGD/X+MjZ+83B2/gCiCpDYaz6aTexr4692aTxOtiX4Km/E2uqO4JcwdhfJ4UvzLMbwkw/hDSvR+mQcdMVjTQ== X-Received: by 2002:a24:4597:: with SMTP id c23mr6912235itd.20.1545264048594; Wed, 19 Dec 2018 16:00:48 -0800 (PST) Date: Wed, 19 Dec 2018 16:00:22 -0800 Message-Id: <20181220000022.169233-1-modmaker@google.com> Mime-Version: 1.0 X-Mailer: git-send-email 2.20.1.415.g653613c723-goog From: Jacob Trimble To: ffmpeg-devel@ffmpeg.org Subject: [FFmpeg-devel] [PATCH] libavformat/mov: Fix NULL-dereference read for some encrypted content. X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Cc: Jacob Trimble Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" When reading frames, we need to use the fragment for the correct stream. Sometimes the "current" fragment is not the same as the one the frame is for. Found by Chromium's ClusterFuzz: https://crbug.com/906392 and https://crbug.com/915524 Signed-off-by: Jacob Trimble --- libavformat/mov.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index fb95fd2fef..cefdedb1bd 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -6561,14 +6561,14 @@ static int cenc_decrypt(MOVContext *c, MOVStreamContext *sc, AVEncryptionInfo *s return 0; } -static int cenc_filter(MOVContext *mov, MOVStreamContext *sc, AVPacket *pkt, int current_index) +static int cenc_filter(MOVContext *mov, AVStream* st, MOVStreamContext *sc, AVPacket *pkt, int current_index) { MOVFragmentStreamInfo *frag_stream_info; MOVEncryptionIndex *encryption_index; AVEncryptionInfo *encrypted_sample; int encrypted_index, ret; - frag_stream_info = get_current_frag_stream_info(&mov->frag_index); + frag_stream_info = get_frag_stream_info(&mov->frag_index, mov->frag_index.current, st->id); encrypted_index = current_index; encryption_index = NULL; if (frag_stream_info) { @@ -7798,7 +7798,7 @@ static int mov_read_packet(AVFormatContext *s, AVPacket *pkt) if (mov->aax_mode) aax_filter(pkt->data, pkt->size, mov); - ret = cenc_filter(mov, sc, pkt, current_index); + ret = cenc_filter(mov, st, sc, pkt, current_index); if (ret < 0) return ret;