From patchwork Wed Oct 13 16:15:26 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Mattias Wadman X-Patchwork-Id: 31102 Delivered-To: ffmpegpatchwork2@gmail.com Received: by 2002:a05:6602:2084:0:0:0:0 with SMTP id a4csp6150077ioa; Wed, 13 Oct 2021 09:15:45 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzpheahc/j7rEO6zPrung8AV0F3RjodeYEMeBmMTZNmzXJ75tSwT8EFywnbSImZyszyTzZ/ X-Received: by 2002:a05:6402:16d2:: with SMTP id r18mr337897edx.363.1634141745792; Wed, 13 Oct 2021 09:15:45 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1634141745; cv=none; d=google.com; s=arc-20160816; b=QNtjx+3CWv9U5sp78hEYWZnQgu6GSL3EnI0zw8mJB1aDugndfMH1V2J1aK8qY9Uy0n 3X0SBgI2sEaLaNLQvHzHXk7RI7zfjU3CITaTWd2uNqUU1dejFT9ZHBeYtmfpcqYyhvvY kO+qZfoZ/26gQ+IEX9VgLZHGDDqXpM3tVai6oXpIb1SnAKrmsju9hHuPovjSUH3CFdTI RiTMzw57zg8e2wU9L7PKDD9KYkLLkcmGhkswkVowVyFyEf2qnZGJS/wFjfKBufajkw/8 5cXNgqGaikXAfDRZG3B0OFHAe+fSNHgoPUn1LTc7zEpmhL+rV4Y2XzmeGvrMRIjuEZA3 xY3Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:content-transfer-encoding:cc:reply-to :list-subscribe:list-help:list-post:list-archive:list-unsubscribe :list-id:precedence:subject:mime-version:message-id:date:to:from :dkim-signature:delivered-to; bh=ki7kb+S74VsFV9h1um9/4XEuySVRHsyFKBtFHOMxzwk=; b=yvJ+4JlRndm3D2086kQfN7J1R+uW/p+vZmhctqLv/5+ebKcM9jimOeS4ZcWlRRgoR7 muZK11snCAlvgKH17CKGsGmYh56UcRuFO9NdlyvYwQJRvAWFVRN5LMNM/6SW1cQAzdaV koVt8T/kzg1t8yoiUobu2muVNws/HN2coP621uTQhUeLjqTo/3gzIVOSQrS6LpZv0ld7 wsET3Bid3vMjhVZ34u5dKn1j58qobI7KfzFLyK4Xqmkm3zGN9rL1VTAOGlPgm88gLAm5 e/TVOgNxC6b40QRg4DEnvIe9nXBDOA7bcsSFShanXJpIFUS+yhYOUdAFaxH6aw2nbro7 raUg== ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@gmail.com header.s=20210112 header.b=kNUIfI+v; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org; dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100]) by mx.google.com with ESMTP id ds4si48957ejc.507.2021.10.13.09.15.39; Wed, 13 Oct 2021 09:15:45 -0700 (PDT) Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@gmail.com header.s=20210112 header.b=kNUIfI+v; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org; dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id D02DE68A8F1; Wed, 13 Oct 2021 19:15:36 +0300 (EEST) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from mail-wr1-f47.google.com (mail-wr1-f47.google.com [209.85.221.47]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 8C88268A4B0 for ; Wed, 13 Oct 2021 19:15:30 +0300 (EEST) Received: by mail-wr1-f47.google.com with SMTP id i12so10144058wrb.7 for ; Wed, 13 Oct 2021 09:15:30 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=1EUZF5iRPp+bNZcX3RDueSMluHOWK8Ijc7eVs8exzaw=; b=kNUIfI+vXzf00L9VVjvCTdoSs9VjBbN+bv/Yvuf77ZhykbxDAaAIjuvtl4LQF1m5uM GrvvGwWOvHItI7pDVfbXV3Oq/a/8Ad/x0SsbIFJaqhHtUzwgfwKdGAlELyHOie3lBB4E 72eNrRiJVsMnE7lNeKKeuPex1tdICwKEvVpauXeRjl+Sp00Qw4x5ubRSvDTmDdjvt91+ hULrL9+duxo4J84UNgVN9uBm2uEZ/hNc2nJG5uwheB7FY0pGjK75AyaTYyxZOUR6XEao CQ16bfflzZ1RXMqpvRAO4RidqmmDgnjKuVLM7x1zpk8g0oP6OrmPKHpZfuo67yRqWPHM jhaQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=1EUZF5iRPp+bNZcX3RDueSMluHOWK8Ijc7eVs8exzaw=; b=pEw3j//lxvLsbHW/UTRMZsKRFXcx3T3IQ3jAU7vFgPQfdc3V2KZiTjgxbqOMVUesVu dGk2p48rVyjYH5qCNWmics3NSz9fWzRc35LtHBEVyCPg+N55pKudGqT484/mYgPkKRaE yaEw5ZKKlnWaF7/N1p6RkKL/iWM2EYcztcWTAfLWLw6WLwfFUWpwpu+lkAzT3ZH+uMDd PdNfC2JzH+lNr4AXPlGE5CieQzJVANiE062ju3nwIkMSg3jlNSv9tWW87yLNyiMIquIc wWI9HGF6vqXb75S1aCkZvE8p2d6iLXvLvALp2H3e+LIwqhAx3NjrtbhgPfzW0/v1C+Op znAw== X-Gm-Message-State: AOAM530x3F/z902QGAEk8NBZXGf2JNOIGJHY9uLvReOSEUTUqhhFgrsv 1Qeh1s/5seKHqOoyb5yTpvznflbDHMg= X-Received: by 2002:adf:f8c2:: with SMTP id f2mr108782wrq.234.1634141729801; Wed, 13 Oct 2021 09:15:29 -0700 (PDT) Received: from localhost.localdomain ([84.218.15.152]) by smtp.gmail.com with ESMTPSA id w5sm12072wrq.86.2021.10.13.09.15.29 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Wed, 13 Oct 2021 09:15:29 -0700 (PDT) From: Mattias Wadman To: ffmpeg-devel@ffmpeg.org Date: Wed, 13 Oct 2021 18:15:26 +0200 Message-Id: <20211013161526.83708-1-mattias.wadman@gmail.com> X-Mailer: git-send-email 2.29.2 MIME-Version: 1.0 Subject: [FFmpeg-devel] [PATCH v1] libavcodec/flac_parser: Validate subframe zero bit and type X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Cc: Mattias Wadman Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" X-TUID: c8QNV3r3yE1o Reduces the risk of finding false frames that happens to have valid values and CRC. Fixes ticket #9185 ffmpeg flac decoder incorrectly finds junk frame https://trac.ffmpeg.org/ticket/9185 --- libavcodec/flac_parser.c | 30 ++++++++++++++++++++++++++++-- 1 file changed, 28 insertions(+), 2 deletions(-) diff --git a/libavcodec/flac_parser.c b/libavcodec/flac_parser.c index d3d9c889a1..2c550507fc 100644 --- a/libavcodec/flac_parser.c +++ b/libavcodec/flac_parser.c @@ -96,8 +96,34 @@ static int frame_header_is_valid(AVCodecContext *avctx, const uint8_t *buf, FLACFrameInfo *fi) { GetBitContext gb; - init_get_bits(&gb, buf, MAX_FRAME_HEADER_SIZE * 8); - return !ff_flac_decode_frame_header(avctx, &gb, fi, 127); + uint8_t subframe_type; + + // header plus one byte from first subframe + init_get_bits(&gb, buf, MAX_FRAME_HEADER_SIZE * 8 + 8); + if (ff_flac_decode_frame_header(avctx, &gb, fi, 127)) { + return 0; + } + // subframe zero bit + if (get_bits1(&gb) != 0) { + return 0; + } + // subframe type + // 000000 : SUBFRAME_CONSTANT + // 000001 : SUBFRAME_VERBATIM + // 00001x : reserved + // 0001xx : reserved + // 001xxx : if(xxx <= 4) SUBFRAME_FIXED, xxx=order ; else reserved + // 01xxxx : reserved + // 1xxxxx : SUBFRAME_LPC, xxxxx=order-1 + subframe_type = get_bits(&gb, 6); + if (!(subframe_type == 0 || + subframe_type == 1 || + ((subframe_type >= 8) && (subframe_type <= 12)) || + (subframe_type >= 32))) { + return 0; + } + + return 1; } /**