From patchwork Thu Apr 25 22:04:01 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: James Almer X-Patchwork-Id: 12913 Return-Path: X-Original-To: patchwork@ffaux-bg.ffmpeg.org Delivered-To: patchwork@ffaux-bg.ffmpeg.org Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100]) by ffaux.localdomain (Postfix) with ESMTP id 93D0A448602 for ; Fri, 26 Apr 2019 01:06:11 +0300 (EEST) Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 74A04689C3E; Fri, 26 Apr 2019 01:06:11 +0300 (EEST) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from mail-qt1-f195.google.com (mail-qt1-f195.google.com [209.85.160.195]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 6170B68973E for ; Fri, 26 Apr 2019 01:06:05 +0300 (EEST) Received: by mail-qt1-f195.google.com with SMTP id c35so1994449qtk.3 for ; Thu, 25 Apr 2019 15:06:05 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:subject:date:message-id:mime-version :content-transfer-encoding; bh=BDy4Izm9xJy5NDIXCuA611ALxEPp/2c54+nqROOxTn4=; b=FzDbf7MV+Oet2SCFpPJ/dQO6JcM77VUdGRaE7J9igUz/Vog1xbsKQGSLNew/qpdvHp go9v1IXjtOhm4Q5k3KD+LxgnN/iNefAlpBIl9CGvmZiPnD0ZrszPtR+OdHMXGsqHcvMZ hQW08A+0JqPavCKbFCNoE9+8rSp4sFvZOFvCJZ6RME8upYrT3pPZKEnbnhdVmZe9LtJ1 aH8P0DQ6RzlABspmen5c87BXg3+ALy9vQKnxc4lz24OiLJI87x2DHOJBBYLY9PBGjLSU 9z4YUCccDYQ1C3F+Tuk+UNh0AXYs5wqDTrT0+fUgbJ66JiPfO0pdQMzT9fkL4QazsDnc 8k1A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:date:message-id:mime-version :content-transfer-encoding; bh=BDy4Izm9xJy5NDIXCuA611ALxEPp/2c54+nqROOxTn4=; b=s+olA0Ct9HPhb9ap0WbulQNV9WSE1cbsTvkBpDbJDiUC2jTvaeLEx3qlyWLzPczHw7 ePpw0Di5qBPK/KpyBtAD4DtCvXRaAhhToHcaMnisXW7AVQvIdhZ2skLhCJWKd0hv9fuk hnm+ImvghwzjJSc6joChzxERbZmlX3vXuMOl5YrBlgxzy9oy8oCe9pz5wYexTKRXAoYZ EVhoMkOYN5UZTtbT+YzAL7rD+DjQLQRkQIxIud3a9gpYT2lQL9Wqfb42JtIjyDAXhMak 0eej2xKIU9kcUsVmR2xRmk92AsV16hK1TCZ83dLzpyFK+SgqCjuJEuLbtKB6fTztbGKT tQrg== X-Gm-Message-State: APjAAAVR3/Dd833j7NkhpJ+Qb4D4gzPWWKqnUkFXqvLNF9d9qv3n/rdZ Imud00561kbRYvUm9StsDBDP4iAu X-Google-Smtp-Source: APXvYqwNluqPQAXvqHMusM+RmcmsMGDI94yuHuzRMOhLQZ4s4Ew9QX1OrIODPVs1NJP9dg3zXYn1bg== X-Received: by 2002:ac8:46d8:: with SMTP id h24mr4465486qto.17.1556229963971; Thu, 25 Apr 2019 15:06:03 -0700 (PDT) Received: from localhost.localdomain ([191.83.213.8]) by smtp.gmail.com with ESMTPSA id h62sm11359517qkd.92.2019.04.25.15.06.02 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 25 Apr 2019 15:06:03 -0700 (PDT) From: James Almer To: ffmpeg-devel@ffmpeg.org Date: Thu, 25 Apr 2019 19:04:01 -0300 Message-Id: <20190425220401.1385-1-jamrial@gmail.com> X-Mailer: git-send-email 2.21.0 MIME-Version: 1.0 Subject: [FFmpeg-devel] [PATCH] avformat/aacdec: fix demuxing of very small frames X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" 10 bytes (id3v2 header amount of bytes) were being read before any checks were made on the bitstream. The result was that we were overreading into the next frame if the current one was 8 or 9 bytes long. Fixes tickets #7271 and #7869. Signed-off-by: James Almer --- libavformat/aacdec.c | 34 +++++++++++++++++++++------------- 1 file changed, 21 insertions(+), 13 deletions(-) diff --git a/libavformat/aacdec.c b/libavformat/aacdec.c index bd324a1420..8a5450880b 100644 --- a/libavformat/aacdec.c +++ b/libavformat/aacdec.c @@ -20,6 +20,7 @@ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA */ +#include "libavutil/avassert.h" #include "libavutil/intreadwrite.h" #include "avformat.h" #include "avio_internal.h" @@ -154,17 +155,8 @@ static int adts_aac_read_packet(AVFormatContext *s, AVPacket *pkt) { int ret, fsize; - // Parse all the ID3 headers between frames - while (1) { - ret = av_get_packet(s->pb, pkt, FFMAX(ID3v2_HEADER_SIZE, ADTS_HEADER_SIZE)); - if (ret >= ID3v2_HEADER_SIZE && ff_id3v2_match(pkt->data, ID3v2_DEFAULT_MAGIC)) { - if ((ret = handle_id3(s, pkt)) >= 0) { - continue; - } - } - break; - } - +retry: + ret = av_get_packet(s->pb, pkt, ADTS_HEADER_SIZE); if (ret < 0) return ret; @@ -174,8 +166,24 @@ static int adts_aac_read_packet(AVFormatContext *s, AVPacket *pkt) } if ((AV_RB16(pkt->data) >> 4) != 0xfff) { - av_packet_unref(pkt); - return AVERROR_INVALIDDATA; + // Parse all the ID3 headers between frames + int append = ID3v2_HEADER_SIZE - ADTS_HEADER_SIZE; + + av_assert2(append > 0); + ret = av_append_packet(s->pb, pkt, append); + if (ret != append) { + av_packet_unref(pkt); + return AVERROR(EIO); + } + if (!ff_id3v2_match(pkt->data, ID3v2_DEFAULT_MAGIC)) { + av_packet_unref(pkt); + return AVERROR_INVALIDDATA; + } + ret = handle_id3(s, pkt); + if (ret < 0) + return ret; + + goto retry; } fsize = (AV_RB32(pkt->data + 3) >> 13) & 0x1FFF;