From patchwork Thu Apr 23 03:07:35 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Andreas Rheinhardt X-Patchwork-Id: 19184 Return-Path: X-Original-To: patchwork@ffaux-bg.ffmpeg.org Delivered-To: patchwork@ffaux-bg.ffmpeg.org Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100]) by ffaux.localdomain (Postfix) with ESMTP id 4A1C444BA43 for ; Thu, 23 Apr 2020 06:08:21 +0300 (EEST) Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 35C7B68BE17; Thu, 23 Apr 2020 06:08:21 +0300 (EEST) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from mail-wr1-f65.google.com (mail-wr1-f65.google.com [209.85.221.65]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 0C28868BDFD for ; Thu, 23 Apr 2020 06:08:12 +0300 (EEST) Received: by mail-wr1-f65.google.com with SMTP id t14so5003007wrw.12 for ; Wed, 22 Apr 2020 20:08:12 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=tLUpHuFvHsBJCP1JtLQPgMNLlJWglASPiq/+4O+yKZ8=; b=JmuQ3DbFeWMnYwkngZehBouot9W0qKAMQRsOwbd0PMMOvDufnEN5yQdWPFq9GXBqhe c+FD8AnSPPG4gwe48yxAJQ/h06gUogU6JnxTxUf9sBjRCOQYBcB15WZpctcfZKmxkTua gMarkspTKX1OYqcocJWH57AqeyupgcMAmetPWvLkdGEIYHg12Zj2cfduGJBvg3M3LXge edFrLSh7F/+dBOlk2t2VQ9eMsv27Qq7Um8rrXmGHuKA8hl/hVf0PEe3InB0cS6es4o9P 1/Ho4Y8vZIiaZrqp1kSVnzqvyPD79eb1y78iqnT1PJD2U3psQ/+9fcy5mjm/p+VGVC8y s2DA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=tLUpHuFvHsBJCP1JtLQPgMNLlJWglASPiq/+4O+yKZ8=; b=pSycl5AIl3dMHUImvOL9IleSklKjnebfCGsqyhfiehQRoztRkO8bY16VtqjSlzXxiy C0o0VWaF3Q5ErYNt/bCzuLhZ6wZ94OOxl9XqfRVmYKeoAXa5H5524dUCNK2A35U5BIpN IscbOJl2V+JWUneH1CYtStQACgEej+lmOBNwmF2X2vre//GDBF8J5QuCVAtA3eooRbvK 5PkXD26IT3/ATWFesDwSfT1JkDgS/t0/DlVAz4mhQuyNVNvSadLdx0k8B31SmvKXriQ4 p2cKu49LmOF994dsrXwHXHmX35EPhCFnCaVz39AeDKSHjs0VHy/Xw6whyRR9DxBPtScs AUSA== X-Gm-Message-State: AGi0PuZrAfljq1uUce39dvNeGbw7MESPD3xSkCQof/+u3OZYuoxrdnYD AUAH2e0zIiGXZx1A3l/gV4WzTyrj X-Google-Smtp-Source: APiQypK0VuheXXygspsyCleaZLzMJmm3K5pgb3wHkkPa6sa+Mlk/BVI8phmqaJ2rke9hMEiDIwahXA== X-Received: by 2002:adf:b1c9:: with SMTP id r9mr2441552wra.271.1587611291119; Wed, 22 Apr 2020 20:08:11 -0700 (PDT) Received: from sblaptop.fritz.box (ipbcc1ab57.dynamic.kabel-deutschland.de. [188.193.171.87]) by smtp.gmail.com with ESMTPSA id m1sm1497733wro.64.2020.04.22.20.08.10 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 22 Apr 2020 20:08:10 -0700 (PDT) From: Andreas Rheinhardt To: ffmpeg-devel@ffmpeg.org Date: Thu, 23 Apr 2020 05:07:35 +0200 Message-Id: <20200423030741.12158-5-andreas.rheinhardt@gmail.com> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20200423030741.12158-1-andreas.rheinhardt@gmail.com> References: <20200423030741.12158-1-andreas.rheinhardt@gmail.com> MIME-Version: 1.0 Subject: [FFmpeg-devel] [PATCH 05/11] avformat/matroskadec: Don't output uninitialized data for RealAudio 28.8 X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Cc: Andreas Rheinhardt Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" The Matroska demuxer splits every sequence of h Matroska Blocks into h * w / cfs packets of size cfs; here h (sub_packet_h), w (frame_size) and cfs (coded_framesize) are parameters from the track's CodecPrivate. It does this by splitting the Block's data in h/2 pieces of size cfs each and putting them into a buffer at offset m * 2 * w + n * cfs where m (range 0..(h/2 - 1)) indicates the index of the current piece in the current Block and n (range 0..(h - 1)) is the index of the current Block in the current sequence of Blocks. The data in this buffer is then used for the output packets. The problem is that there is currently no check to actually guarantee that no uninitialized data will be output. One instance where this is trivially so is if h == 1; another is if cfs * h is so small that the input pieces do not cover everything that is output. In order to preclude this, rmdec.c checks for h * cfs == 2 * w and h >= 2. The former requirement certainly makes much sense, as it means that for every given m the input pieces (corresponding to the h different values of n) form a nonoverlapping partition of the two adjacent frames of size w corresponding to m. But precluding h == 1 is not enough, other odd values can cause problems, too. That is because the assumption behind the code is that h frames of size w contain data to be output, although the real number is h/2 * 2. E.g. for h = 3, cfs = 2 and w = 3 the current code would output four (== h * w / cfs) packets. although only data for three (== h/2 * h) packets has been read. (Notice that if h * cfs == 2 * w, h being even is equivalent to cfs dividing w; the latter condition also seems very reasonable: It means that the subframes are a partition of the frames.) Signed-off-by: Andreas Rheinhardt --- libavformat/matroskadec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c index 951695b5b5..1dc0b77962 100644 --- a/libavformat/matroskadec.c +++ b/libavformat/matroskadec.c @@ -2612,8 +2612,8 @@ static int matroska_parse_tracks(AVFormatContext *s) return AVERROR_INVALIDDATA; if (codec_id == AV_CODEC_ID_RA_288) { - if ((int64_t)track->audio.sub_packet_h * track->audio.coded_framesize - > (2 + (track->audio.sub_packet_h & 1)) * track->audio.frame_size) + if (track->audio.sub_packet_h & 1 || 2 * track->audio.frame_size + != (int64_t)track->audio.sub_packet_h * track->audio.coded_framesize) return AVERROR_INVALIDDATA; st->codecpar->block_align = track->audio.coded_framesize; track->codec_priv.size = 0;